Enterprise JavaJava

Spring Boot HashiCorp Vault Reload SSL Certificates Example

Photo of Ashraf Sarhan Ashraf SarhanMay 14th, 2025Last Updated: May 16th, 2025
0 425 2 minutes read

1. Overview

In modern microservices architectures, managing SSL certificates securely and efficiently is critical. This guide explains how to use spring boot hashicorp valut reload ssl certificates setup to manage and rotate TLS certs securely without app restarts. By integrating Spring Boot and HashiCorp Vault and reload SSL certificates, you can automate certificate renewal, enhance security, and avoid application downtime.

Fig.1. Reload SSL Certificates From HashiCorp Vault for Spring Boot

2. Key Concepts of Spring Boot HashiCorp Vault Reload SSL Certificates Workflow

Before diving into implementation, here are some fundamental concepts:

  • Spring Boot: A Java-based framework used to create microservices with minimal configuration.
  • HashiCorp Vault: A tool for securely accessing secrets, such as certificates, API keys, and credentials.
  • Vault Agent: A helper process that authenticates with Vault and can render secrets to disk.
  • SSL Certificate Reloading: The process of refreshing an application’s in-memory certificates without requiring a restart.

By combining these tools, you can automate the reload of SSL certificates from HashiCorp Vault for Spring Boot services.

3. Configuring Vault Server

To begin, you need a Vault server configured with PKI secrets engine and a role to issue certificates.

vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal \
    common_name="example.com" \
    ttl=87600h

vault write pki/config/urls \
    issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
    crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

vault write pki/roles/spring-app \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl="72h"

Ensure your Spring Boot service identity (via a token or approle) has access to this role.

4. Configure Vault Agent

The Vault Agent will authenticate, retrieve the certificate, and render it to disk for Spring Boot.

Here’s an example of a Vault Agent configuration file (vault-agent.hcl):

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path = "/etc/vault/role_id"
      secret_id_file_path = "/etc/vault/secret_id"
    }
  }

  sink "file" {
    config = {
      path = "/etc/vault/token"
    }
  }
}

template {
  source      = "/etc/vault/templates/cert.tpl"
  destination = "/etc/ssl/certs/spring-app.pem"
  command     = "kill -HUP $(pidof java)"
}

Example cert.tpl template:

{{ with secret "pki/issue/spring-app" "common_name=app.example.com" }}
{{ .Data.certificate }}
{{ .Data.private_key }}
{{ end }}

The command option is used to signal your Spring Boot app to reload the certificate dynamically.

5. Configure the Spring Boot App

To complete the setup, configure your Spring Boot application to use the certificates provided by Vault Agent and support dynamic reloading.

Application Properties

server:
  ssl:
    key-store: classpath:keystore.p12
    key-store-password: changeit
    key-store-type: PKCS12

Instead of classpath, dynamically mount your SSL certificate as a keystore or configure Tomcat to use it directly.

Enabling Dynamic Reloading

You can configure a scheduled task or use an external signal to reload the SSL context. A popular library like TomcatReloadableSsl can be used, or custom code such as:

@Bean
public TomcatServletWebServerFactory servletContainer() {
    return new TomcatServletWebServerFactory() {
        @Override
        protected void customizeConnector(Connector connector) {
            connector.setProperty("SSLEnabled", "true");
            connector.setProperty("sslProtocol", "TLS");
            connector.setAttribute("keystoreFile", "/etc/ssl/certs/spring-app.p12");
            connector.setAttribute("keystorePass", "changeit");
        }
    };
}

Triggering a context reload using a signal or file watcher (e.g., kill -HUP) ensures your app gets the new certificates without restarting.

This is the core of how to reload SSL certificates from HashiCorp Vault for Spring Boot applications dynamically.

6. Conclusion

Integrating spring boot and hashicorp valut to reload ssl certificates, manage and rotate TLS certs securely without app restarts, it enables you to manage secrets securely, reduce downtime, and streamline certificate rotations. By combining Vault’s robust secret management with Spring Boot’s flexibility, you can create resilient, production-ready systems.

Using the Vault Agent to render and rotate certificates, alongside reloading logic within the Spring Boot app, ensures your infrastructure remains secure and maintainable.

Tags
Photo of Ashraf Sarhan Ashraf SarhanMay 14th, 2025Last Updated: May 16th, 2025
0 425 2 minutes read
Photo of Ashraf Sarhan

Ashraf Sarhan

With over 8 years of experience in the field, I have developed and maintained large-scale distributed applications for various domains, including library, audio books, and quant trading. I am passionate about OpenSource, CNCF/DevOps, Microservices, and BigData, and I constantly seek to learn new technologies and tools. I hold two Oracle certifications in Java programming and business component development.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button