How To Reload SSL certificates from HashiCorp Vault for Spring Boot

Automating SSL Certificate Management in Spring Boot with Vault Agent

In the ever-evolving landscape of web security, ensuring that SSL certificates are up-to-date and managed effectively is crucial. Spring Boot, a popular framework for building Java-based web applications, provides built-in support for an embedded web server and the ability to configure SSL certificates to secure connections. However, managing SSL certificates manually can be cumbersome, especially when it comes to handling their renewal without causing downtime.

This article will guide you through the process of using HashiCorp Vault and its Vault Agent to automate SSL certificate generation and configure SSL hot reloading in Spring Boot applications. This method allows your applications to update their SSL certificates seamlessly, without the need for manual intervention or application restart.

Setting Up the PKI Secrets Engine in Vault

HashiCorp Vault is a tool for securely accessing secrets. It provides a robust way to manage and store sensitive data. One of its powerful features is the ability to generate dynamic X.509 certificates using the Public Key Infrastructure (PKI) secrets engine. This can either act as a root certificate authority (CA) or integrate with an existing offline root CA.

To get started, you need to set up the PKI secrets engine in Vault. The following example demonstrates how to configure a root CA that expires in one day and create a Vault role named payments-app for the web server using the generated certificate.

1. Enable the PKI secrets engine:
   sh<br /> vault secrets enable pki<br />
2. Tune the PKI secrets engine to set the maximum lease time to 24 hours:
   sh<br /> vault secrets tune -max-lease-ttl="24h" pki<br />
3. Generate a root certificate:
   sh<br /> vault write -field=certificate pki/root/generate/internal \<br /> common_name="example.com" \<br /> issuer_name="root-2024" \<br /> ttl="12h" > certs/root_2024_ca.crt<br />
4. Configure the URLs for issuing certificates and CRL distribution points:
   sh<br /> vault write pki/config/urls \<br /> issuing_certificates="http://vault:8200/v1/pki/ca" \<br /> crl_distribution_points="http://vault:8200/v1/pki/crl"<br />
5. Create a role for the web server:
   sh<br /> vault write pki/roles/payments-app allow_any_name=true<br /> Next, you need to create an intermediate CA for the web server, which issues certificates that expire every six hours.
6. Enable the intermediate CA:
   sh<br /> vault secrets enable -path=pki_int pki<br />
7. Tune the intermediate CA:
   sh<br /> vault secrets tune -max-lease-ttl=12h pki_int<br />
8. Issue the intermediate certificate:
   sh<br /> vault write pki_int/roles/payments-app \<br /> issuer_ref="$(vault read -field=default pki_int/config/issuers)" \<br /> allow_any_name=true \<br /> max_ttl="6h"<br /> Ensure that the Vault role has the necessary policies to use the PKI secrets engine. For example, the payments-app role should have access to issue intermediate certificates at pki_int/issue/payments-app using the update capability.

   Deploying Vault Agent

   Spring Boot’s SSL hot reload feature allows the application to reference SSL certificates from a file. Vault Agent helps in automating the process of fetching these certificates from Vault and writing them to a file.

   Vault Agent authenticates to Vault automatically and writes secrets to a file based on a specified template. You can run Vault Agent as a separate process on the same machine as your application. Here’s how you can set up Vault Agent:

9. Create a template file for the certificates:
   hcl<br /> {{ with pkiCert "pki_int/issue/payments-app" "common_name=payments.example.com" "alt_names=localhost" "ttl=5m" }}<br /> .Cert .CA .Key<br /> writeToFile "/vault-agent/config/certs/payments.key" "" "" "0400"<br /> writeToFile "/vault-agent/config/certs/ca.pem" "" "" "0644"<br /> trimSpace<br /> {{ end }}<br />
10. Configure Vault Agent to reference the template file and set a destination to write out the certificate information:
    hcl<br /> pid_file = "/vault-agent/pidfile"<br /> <br /> vault {<br /> address = "http://vault:8200"<br /> }<br /> <br /> auto_auth {<br /> method "approle" {<br /> config = {<br /> role_id_file_path = "/vault-agent/role-id"<br /> secret_id_file_path = "/vault-agent/secret-id"<br /> remove_secret_id_file_after_reading = false<br /> }<br /> }<br /> }<br /> <br /> template {<br /> source = "/vault/templates/cert.tpl"<br /> destination = "/vault-agent/config/all-certs"<br /> }<br />
11. Run Vault Agent with the configuration:
    sh<br /> vault agent -config=/vault/config.hcl<br /> This setup will ensure that Vault Agent automatically fetches and renews the certificates, writing them to the specified files.

    Configuring Spring Boot Application

    The Spring Boot application needs to reference the certificates from the files created by Vault Agent. You can achieve this by configuring the application.properties file with the necessary SSL properties.

12. Update application.properties with the following configurations:
    properties<br /> spring.ssl.bundle.pem.demo.reload-on-update=true<br /> spring.ssl.bundle.pem.demo.keystore.certificate=/vault-agent/config/certs/payments.crt<br /> spring.ssl.bundle.pem.demo.keystore.private-key=/vault-agent/config/certs/payments.key<br /> server.ssl.bundle=demo<br />
13. Start your Spring Boot application. The logs will indicate that the application uses the certificates from the /vault-agent/config/certs directory.Access your application over HTTPS using the following curl command:
    sh<br /> curl --cacert vault-agent/config/certs/ca.pem --cert vault-agent/config/certs/payments.crt --key vault-agent/config/certs/payments.key https://localhost:8081/payments<br />

    Verifying the Certificate

    You can use openssl to verify the certificate details, including the expiration date:
    sh<br /> openssl s_client -showcerts -connect localhost:8081 < /dev/null<br />

    When the certificate nears its expiration, Vault Agent will automatically request a new certificate and write it to the files. The Spring Boot application will then reload itself with the new certificate, ensuring continuous secure connections without downtime.

    Conclusion

    By leveraging SSL hot reload in Spring Boot applications with certificates generated by Vault Agent, you can automate the management of SSL certificates. This approach significantly reduces manual intervention, eliminates the need for application restarts, and ensures that your web applications remain secure and up-to-date.

    For more detailed examples and configurations, refer to the GitHub repository and the Spring documentation. Additionally, you can explore tutorials on reloading secrets with Spring Cloud Vault and encrypting Spring application data for further learning.

For more Information, Refer to this article.