Hot-reloading TLS certificates #1121
Comments
cmader
changed the title
|
Please ask this question in the https://github.com/grpc/grpc-java repo, as the feature has to be supported there first. If they have support for that, we can add the relevant config for that here. |
|
Thanks for pointing me to the grpc-java projects! Indeed, hot certificate reload is supported there with the classes AdvancedTlsX509KeyManager and AdvancedTlsX509TrustManager. I got it working with grpc-spring when I override ShadedNettyGrpcServerFactory's configureSecurity method and set instances of these classes as keyStore and trustStore of the SslContextBuilder. Then, whenever I detect a certificate change, I call the AdvancedTlsX509KeyManager's (or AdvancedTlsX509TrustManager) update method and the updated certificate is used without a server restart. |
|
Could you please create a PR and contribute this feature? |
The context
Automatically use new TLS certificate if it is updated on the file system ("hot-reload")
The question
Is it possible to force recreation of the SSL context? The background of my question is that I have a service running that uses server security with client authentication. When the server certificate expires, it automatically gets replaced but clients still see the old certificate. So, is there any way to either force recreation of the SSL context or set a maximum "lifetime" of the context? I didn't find anything about that in the grpc-spring or netty docs, but I'm sure I'm missing something.
The application's environment
Spring-boot service running on k8s.
Which versions do you use?
The text was updated successfully, but these errors were encountered: