TLS registry reference
The TLS Registry is a Quarkus extension that centralizes TLS configuration, making it easier to manage and maintain secure connections across your application. When defining TLS configurations in a single centralized location, you can use the TLS Registry to reference these configurations from multiple components within the application, which ensures consistency and reduces the potential for configuration errors.
The TLS Registry consolidates settings and supports multiple named configurations. Therefore, you can tailor TLS settings for different application parts. This flexibility is particularly useful when different components require distinct security configurations.
The TLS Registry extension is automatically included in your project when you use compatible extensions, such as Quarkus REST, gRPC, SmallRye GraphQL Client , or Reactive Routes .
As a result, applications that use the TLS Registry can be ready to handle secure communications out of the box. TLS Registry also provides features like automatic certificate reloading, Let’s Encrypt (ACME) integration, Kubernetes Cert-Manager support, and compatibility with various keystore formats, such as PKCS12, PEM, and JKS.
1. Using the TLS registry
To configure a TLS connection, including key and truststores, use the quarkus.tls.*
properties.
These properties are required for:
-
Setting up the default TLS configuration, defined directly under
quarkus.tls.*
-
Creating separate, named configurations by using
quarkus.tls.<name>.*
. By specifying thequarkus.tls.<name>.*
properties, you can adapt the TLS settings for a specific component.
1.1. Configuring HTTPS for a HTTP server
To ensure secure client-server communication, the client is often required to verify the server’s authenticity.
-
The server must use a keystore that contains its certificate and private key
-
The client needs to be configured with a truststore to validate the server’s certificate
During the TLS handshake, the server presents its certificate, which the client then validates. This prevents man-in-the-middle attacks and secures data transmission.
The following sections guide you through setting up HTTPS by using PEM or PKCS12 keystore types. In addition, they provide information on how to use named configurations to specify and manage multiple TLS setups at once, which makes it possible for you to define distinct settings for each.
Use one of the following configuration examples based on your keystore type:
-
By using PEM files:
quarkus.tls.key-store.pem.0.cert=server.crt quarkus.tls.key-store.pem.0.key=server.key quarkus.http.insecure-requests=disabled # Reject HTTP requests
-
By using a
p12
(PKCS12) keystore:quarkus.tls.key-store.p12.path=server-keystore.p12 quarkus.tls.key-store.p12.password=secret quarkus.http.insecure-requests=disabled # Reject HTTP requests
-
Distinguishing multiple configurations with names:
quarkus.tls.https.key-store.p12.path=server-keystore.p12 quarkus.tls.https.key-store.p12.password=secret quarkus.http.insecure-requests=disabled quarkus.http.tls-configuration-name=https
1.2. Configuring HTTPS for a client
The following example configures a gRPC client named "hello" to use HTTPS with a truststore from the default TLS configuration:
quarkus.tls.trust-store.jks.path=grpc-client-truststore.jks
quarkus.tls.trust-store.jks.password=password
quarkus.grpc.clients.hello.plain-text=false
quarkus.grpc.clients.hello.use-quarkus-grpc-client=true
1.3. Configuring mTLS
To set up mutual TLS (mTLS) in your Quarkus application, configure the server and the client by creating and managing both a keystore and a truststore for each:
-
Server keystore: Contains the server’s certificate and private key.
-
Client keystore: Contains the client’s certificate and private key.
-
Server truststore: Stores the client’s certificate for authenticating the client.
-
Client truststore: Stores the server’s certificate for authenticating the server.
An example configuration for specifying keystores and truststores:quarkus.tls.my-server.key-store.p12.path=target/certs/grpc-keystore.p12 quarkus.tls.my-server.key-store.p12.password=password quarkus.tls.my-server.trust-store.p12.path=target/certs/grpc-server-truststore.p12 quarkus.tls.my-server.trust-store.p12.password=password quarkus.tls.my-client.trust-store.p12.path=target/certs/grpc-client-truststore.p12 quarkus.tls.my-client.trust-store.p12.password=password quarkus.tls.my-client.key-store.p12.path=target/certs/grpc-client-keystore.p12 quarkus.tls.my-client.key-store.p12.password=password quarkus.grpc.clients.hello.plain-text=false quarkus.grpc.clients.hello.tls-configuration-name=my-client quarkus.grpc.clients.hello.use-quarkus-grpc-client=true quarkus.http.ssl.client-auth=REQUIRED # Enable mTLS quarkus.http.insecure-requests=disabled quarkus.http.tls-configuration-name=my-server quarkus.grpc.server.use-separate-server=false quarkus.grpc.server.plain-text=false
This configuration enables mTLS by ensuring that both the server and client validate each other’s certificates, which provides an additional layer of security.
2. Referencing a TLS configuration
To reference an example named configuration that you created by using the quarkus.tls.<name>.*
properties as explained in Using the TLS registry
, use the tls-configuration-name
property as shown in the following examples:
# Reference the named configuration
quarkus.http.tls-configuration-name=MY_TLS_CONFIGURATION
quarkus.grpc.clients.hello.tls-configuration-name=MY_TLS_CONFIGURATION
quarkus.smallrye-graphql-client.my-client.tls-configuration-name=MY_TLS_CONFIGURATION
When using the Typesafe GraphQL client with a certificate
reloading mechanism (see Reloading certificates), it is essential to
override the bean’s scope to |
3. Configuring TLS
TLS configuration primarily involves managing keystores and truststores. The specific setup depends on the format used, such as PEM, P12, or JKS.
The following sections outline the various properties available for configuring TLS.
3.1. Key stores
Key stores are used to store private keys and the certificates. They are mainly used on the server side but can also be used on the client side when mTLS is used.
3.1.1. PEM keystores
Privacy Enhanced Mail (PEM) keystores are composed of a list of file pairs:
-
The certificate file - a
.crt
or.pem
file -
The private key file - often a
.key
file
To configure a PEM keystore:
quarkus.tls.key-store.pem.a.cert=server.crt
quarkus.tls.key-store.pem.a.key=server.key
quarkus.tls.key-store.pem.b.cert=my-second-cert.crt
quarkus.tls.key-store.pem.b.key=my-second-key.key
In most cases, you only need a single pair consisting of a certificate and a private key. Even if the certificate is part of a certificate chain, it includes only one private key that corresponds to the end-entity certificate.
When multiple pairs are configured, the selection of one of the configured pairs of certificates and private keys is based on Server Name Indication (SNI). The client sends the name of the server to which the client is attempting to connect, and the server selects the appropriate pair of certificates and private keys. To use this feature, ensure that SNI is enabled on both the client and server.
When configuring multiple key pairs or certificate pairs, the server executes the configured pairs in a lexicographical order of their names by default, as demonstrated with This setting is important when using SNI, because it uses the first specified pair as the default. |
3.1.2. PKCS12 keystores
PKCS12 keystores are single files that contain the certificate and the private key.
To configure a PKCS12 keystore:
quarkus.tls.key-store.p12.path=server-keystore.p12
quarkus.tls.key-store.p12.password=secret
.p12
files are password-protected, so you need to provide the password to open the keystore.
These files can include more than one certificate and private key. If this is the case, take either of the following actions:
-
Provide and configure the alias of the certificate and the private key you want to use:
quarkus.tls.key-store.p12.path=server-keystore.p12 quarkus.tls.key-store.p12.password=secret quarkus.tls.key-store.p12.alias=my-alias quarkus.tls.key-store.p12.alias-password=my-alias-password
-
Alternatively, use SNI to select the appropriate certificate and private key. Note that all keys must use the same password.
3.1.3. JKS keystores
JKS keystores are single files that contain the certificate and the private key for the server or client, used to authenticate and establish secure communications in TLS/SSL connections.
JKS is an old but still widely used Java-specific format. However, to work with this format, you must use specific, and nowadays also deprecated, Java tooling. Thus, its use with your Quarkus application is not recommended. Additionally, OpenShift cert-manager or Let’s Encrypt does not typically provide JKS and remains PEM-only. |
To configure a JKS keystore:
quarkus.tls.key-store.jks.path=server-keystore.jks
quarkus.tls.key-store.jks.password=secret
.jks
files are password-protected, so you need to provide the password to open the keystore.
Also, they can include more than one certificate and private key.
If this is the case:
-
Provide and configure the alias of the certificate and the private key you want to use:
quarkus.tls.key-store.jks.path=server-keystore.jks quarkus.tls.key-store.jks.password=secret quarkus.tls.key-store.jks.alias=my-alias quarkus.tls.key-store.jks.alias-password=my-alias-password
-
Alternatively, use SNI to select the appropriate certificate and private key. Note that all keys must use the same password.
3.1.4. SNI
Server Name Indication (SNI) is a TLS extension that makes it possible for a client to specify the host name to which it attempts to connect during the TLS handshake. SNI enables a server to present different TLS certificates for multiple domains on a single IP address, which facilitates secure communication for virtual hosting scenarios.
To enable SNI:
quarkus.tls.key-store.sni=true # Disabled by default
With SNI enabled, the client indicates the server name during the TLS handshake, which allows the server to select the appropriate certificate:
-
When configuring the keystore with PEM files, multiple certificate (CRT) and key files must be provided. CRT is a common file extension for X.509 certificate files, typically in PEM (Privacy-Enhanced Mail) format. These files contain the public certificate.
-
When configuring the keystore with a JKS or P12 file, the server selects the appropriate certificate based on the SNI host name provided by the client during the TLS handshake. The server matches the SNI hostname with the common name (CN) or subject alternative names (SAN) configured in the certificates stored in the keystore. All keystore and alias passwords must be identical.
3.1.5. Credential providers
You can use a credential provider instead of passing the keystore password and alias password in the configuration.
A credential provider offers a way to retrieve the keystore and alias password. Note that the credential provider is only used if the password or alias password is not set in the configuration.
To configure a credential provider:
# The name of the credential bucket in the credentials provider
quarkus.tls.key-store.credentials-provider.name=my-credentials
# The name of the bean providing the credential provider (optional, using the default credential provider if not set)
quarkus.tls.key-store.credentials-provider.bean-name=my-credentials-provider
# The key used to retrieve the keystore password, `password` by default
quarkus.tls.key-store.credentials-provider.password-key=password
# The key used to retrieve the alias password, `alias-password` by default
quarkus.tls.key-store.credentials-provider.alias-password-key=alias-password
The credential provider can only be used with PKCS12 and JKS keystores. |
3.2. Trust stores
Trust stores are used to store the certificates of the trusted parties. In regular TLS, the client uses a truststore to authenticate the server. With mutual TLS (mTLS), both the server and the client use truststores to authenticate each other.
3.2.1. PEM truststores
PEM truststores are composed of a list of .crt
or .pem
files.
Each of them contains a certificate.
To configure a PEM truststore:
quarkus.tls.trust-store.pem.certs=ca.crt,ca2.pem
3.2.2. PKCS12 truststores
PKCS12 truststores are a single file containing the certificates. You can use the alias to select the appropriate certificate when multiple certificates are included.
To configure a PKCS12 truststore:
quarkus.tls.trust-store.p12.path=client-truststore.p12
quarkus.tls.trust-store.p12.password=password
quarkus.tls.trust-store.p12.alias=my-alias
.p12
files are password-protected, so you need to provide the password to open the truststore.
However, unlike keystores, the alias does not require a password because it contains a public certificate, not a private key.
3.2.3. JKS truststores
JKS truststores are single files that contain multiple certificates. You can use the alias to select the appropriate certificate when multiple certificates are present. However, avoid using the JKS format, because it is less secure than PKCS12.
To configure a JKS truststore:
quarkus.tls.trust-store.jks.path=client-truststore.jks
quarkus.tls.trust-store.jks.password=password
quarkus.tls.trust-store.jks.alias=my-alias
.jks
files are password-protected, so you need to provide the password to open the truststore.
However, unlike keystores, the alias does not require a password because it contains a public certificate, not a private key.
3.2.4. Credential providers
Instead of passing the truststore password in the configuration, you can use a credential provider. A credential provider allows you to retrieve passwords and other credentials. Note that the credential provider is used only if the password is not set in the configuration.
To configure a credential provider:
# The name of the credential bucket in the credentials provider
quarkus.tls.trust-store.credentials-provider.name=my-credentials
# The name of the bean providing the credential provider (optional, using the default credential provider if not set)
quarkus.tls.trust-store.credentials-provider.bean-name=my-credentials-provider
# The key used to retrieve the truststore password, `password` by default
quarkus.tls.trust-store.credentials-provider.password-key=password
The credential provider can only be used with PKCS12 and JKS truststores. |
3.3. Other properties
While keystores and truststores are the most important properties, there are other properties you can use to configure TLS.
While the following examples use the default configuration, you can use the named configuration by prefixing the properties with the configuration’s name. |
3.3.1. Cipher suites
Cipher suites are a list of ciphers that you can use during the TLS handshake. You can configure an ordered list of enabled cipher suites. If not configured, a reasonable default is selected from the built-in ciphers. However, when specified, your configuration precedes the default suite defined by the SSL engine in use.
To configure the cipher suites:
quarkus.tls.cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
3.3.2. TLS protocol versions
The TLS protocol versions are the list of protocols that can be used during the TLS handshake.
Enabled TLS protocol versions are specified as an ordered list separated by commas.
The relevant configuration property is quarkus.tls.protocols
(or quarkus.tls.<name>.protocols
for named TLS configurations).
It defaults to TLSv1.3, TLSv1.2
if not configured.
The available options are TLSv1
, TLSv1.1
, TLSv1.2
, and TLSv1.3
.
For example, to only enable TLSv1.3
:
quarkus.tls.protocols=TLSv1.3
3.3.3. Handshake timeout
When a TLS connection is established, the handshake phase is the first step. During this phase, the client and server exchange information to establish the connection, which typically includes the cipher suite, the TLS protocol version, and the certification validation.
To configure the timeout for the handshake phase:
quarkus.tls.handshake-timeout=10S # Default.
3.3.4. ALPN
Application-Layer Protocol Negotiation (ALPN) is a TLS extension that allows the client and server to negotiate which protocol they will use for communication during the TLS handshake. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before establishing the TLS connection.
This helps in scenarios like HTTP/2, where multiple protocols might be available, allowing for faster protocol selection.
ALPN is enabled by default.
-
To disable it:
quarkus.tls.alpn=false
Disabling ALPN is not recommended for non-experts, as it can lead to performance degradation, protocol negotiation issues, and unexpected behavior, particularly with protocols like HTTP/2. However, disabling ALPN can be useful for diagnosing native inconsistencies or testing performance in specific edge cases where protocol negotiation causes conflicts.
3.3.5. Certificate Revocation List (CRL)
A Certificate Revocation List (CRL) is a list of certificates that the issuing Certificate Authority (CA) revoked before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid, the CA adds it to the CRL to inform relying parties not to trust it anymore.
You can configure the CRL with the list of certificate files you no longer trust by using the DER or PKCS#7 (P7B) formats.
-
For the DER format, pass DER-encoded CRLs.
-
For the PKCS#7 format, pass the
SignedData
object, where the only significant field iscrls
.
To configure the CRL:
quarkus.tls.certificate-revocation-list=ca.crl, ca2.crl
3.3.6. Trusting all certificates and hostname verification
You can configure your TLS connection to trust all certificates and disable the hostname verification. Note that these are two different processes:
-
Trusting all certificates ignores the certificate validation, so all certificates are trusted. This method is useful for testing with self-signed certificates, but it should not be used in production.
-
Hostname verification is the process of verifying the server’s identity.
It is useful to prevent man-in-the-middle attacks and often defaults to HTTPS
or LDAPS
.
These two properties should not be used in production. |
To trust all certificates:
quarkus.tls.trust-all=true
To disable hostname verification:
quarkus.tls.hostname-verification-algorithm=NONE
3.4. Referencia de configuración
The following table lists the supported properties:
Propiedad de configuración fijada en tiempo de compilación - Todas las demás propiedades de configuración son anulables en tiempo de ejecución
Configuration property |
Tipo |
Por defecto |
---|---|---|
Set to Environment variable: Show more |
boolean |
|
The order of the key/cert files, based on the names in the By default, Quarkus sorts the key using a lexicographical order. This property allows you to specify the order of the key/cert files. Environment variable: Show more |
list of string |
|
Path to the key store file (P12 / PFX format). Environment variable: Show more |
path |
required |
Password of the key store. When not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the private key and certificate in the key store. Environment variable: Show more |
string |
|
Password of the alias in the key store. If not set, the password will be retrieved from the credential provider. Environment variable: Show more |
string |
|
Provider of the key store. Environment variable: Show more |
string |
|
Path to the keystore file (JKS format). Environment variable: Show more |
path |
required |
Password of the key store. When not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the private key and certificate in the key store. Environment variable: Show more |
string |
|
Password of the alias in the key store. When not set, the password may be retrieved from the credential provider. Environment variable: Show more |
string |
|
Provider of the key store. Environment variable: Show more |
string |
|
Enables Server Name Indication (SNI). Server Name Indication (SNI) is a TLS extension that allows a client to specify the hostname it is attempting to connect to during the TLS handshake. This enables a server to present different SSL certificates for multiple domains on a single IP address, facilitating secure communication for virtual hosting scenarios. With this setting enabled, the client indicate the server name during the TLS handshake, allowing the server to select the right certificate. When configuring the keystore with PEM files, multiple CRT/Key must be given. When configuring the keystore with a JKS or a P12 file, it selects one alias based on the SNI hostname. In this case, all the keystore password and alias password must be the same (configured with the Environment variable: Show more |
boolean |
|
The name of the "credential" bucket (map key → passwords) to retrieve from the A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration. Environment variable: Show more |
string |
|
The name of the bean providing the credential provider. The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the If not set, the default credential provider is used. Environment variable: Show more |
string |
|
The key used to retrieve the key store password. If the selected credential provider does not support the key, the password is not retrieved. Otherwise, the retrieved value is used to open the key store. Environment variable: Show more |
string |
|
The key used to retrieve the key store alias password. If the selected credential provider does not contain the key, the alias password is not retrieved. Otherwise, the retrieved value is used to access the alias Environment variable: Show more |
string |
|
List of the trusted cert paths (Pem format). Environment variable: Show more |
list of path |
|
Path to the trust store file (P12 / PFX format). Environment variable: Show more |
path |
required |
Password of the trust store. If not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the trust store. Environment variable: Show more |
string |
|
Provider of the trust store. Environment variable: Show more |
string |
|
Path to the trust store file (JKS format). Environment variable: Show more |
path |
required |
Password of the trust store. If not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the key in the trust store. Environment variable: Show more |
string |
|
Provider of the trust store. Environment variable: Show more |
string |
|
The name of the "credential" bucket (map key → passwords) to retrieve from the A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration. Environment variable: Show more |
string |
|
The name of the bean providing the credential provider. The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the If not set, the default credential provider is used. Environment variable: Show more |
string |
|
The key used to retrieve the trust store password. If the selected credential provider does not contain the configured key, the password is not retrieved. Otherwise, the retrieved value is used to open the trust store. Environment variable: Show more |
string |
|
Sets the ordered list of enabled cipher suites. If none is given, a reasonable default is selected from the built-in ciphers. When suites are set, it takes precedence over the default suite defined by the Environment variable: Show more |
list of string |
|
Sets the ordered list of enabled TLS protocols. If not set, it defaults to Note that setting an empty list, and enabling TLS is invalid. You must at least have one protocol. Also, setting this replaces the default list of protocols. Environment variable: Show more |
list of string |
|
The timeout for the TLS handshake phase. If not set, it defaults to 10 seconds. Environment variable: Show more |
|
|
Enables the Application-Layer Protocol Negotiation (ALPN). Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection. Environment variable: Show more |
boolean |
|
Sets the list of revoked certificates (paths to files). A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore. Two formats are allowed: DER and PKCS#7 (also known as P7B). When using the DER format, you must pass DER-encoded CRLs. When using the PKCS#7 format, you must pass PKCS#7 Environment variable: Show more |
list of path |
|
If set to This is useful for testing, but should not be used in production. Environment variable: Show more |
boolean |
|
The hostname verification algorithm to use in case the server’s identity should be checked. Should be If set to If not set, the configured extension decides the default algorithm to use. For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol. Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS". Environment variable: Show more |
string |
|
When configured, the server will reload the certificates (from the file system for example) and fires a This property configures the period to reload the certificates. IF not set, the certificates won’t be reloaded automatically. However, the application can still trigger the reload manually using the The fired event is used to notify the application that the certificates have been updated, and thus proceed with the actual switch of certificates. Environment variable: Show more |
||
The path to the key file (in PEM format). Environment variable: Show more |
path |
required |
The path to the certificate file (in PEM format). Environment variable: Show more |
path |
required |
The path to the key file (in PEM format). Environment variable: Show more |
path |
required |
The path to the certificate file (in PEM format). Environment variable: Show more |
path |
required |
The order of the key/cert files, based on the names in the By default, Quarkus sorts the key using a lexicographical order. This property allows you to specify the order of the key/cert files. Environment variable: Show more |
list of string |
|
Path to the key store file (P12 / PFX format). Environment variable: Show more |
path |
required |
Password of the key store. When not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the private key and certificate in the key store. Environment variable: Show more |
string |
|
Password of the alias in the key store. If not set, the password will be retrieved from the credential provider. Environment variable: Show more |
string |
|
Provider of the key store. Environment variable: Show more |
string |
|
Path to the keystore file (JKS format). Environment variable: Show more |
path |
required |
Password of the key store. When not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the private key and certificate in the key store. Environment variable: Show more |
string |
|
Password of the alias in the key store. When not set, the password may be retrieved from the credential provider. Environment variable: Show more |
string |
|
Provider of the key store. Environment variable: Show more |
string |
|
Enables Server Name Indication (SNI). Server Name Indication (SNI) is a TLS extension that allows a client to specify the hostname it is attempting to connect to during the TLS handshake. This enables a server to present different SSL certificates for multiple domains on a single IP address, facilitating secure communication for virtual hosting scenarios. With this setting enabled, the client indicate the server name during the TLS handshake, allowing the server to select the right certificate. When configuring the keystore with PEM files, multiple CRT/Key must be given. When configuring the keystore with a JKS or a P12 file, it selects one alias based on the SNI hostname. In this case, all the keystore password and alias password must be the same (configured with the Environment variable: Show more |
boolean |
|
The name of the "credential" bucket (map key → passwords) to retrieve from the A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration. Environment variable: Show more |
string |
|
The name of the bean providing the credential provider. The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the If not set, the default credential provider is used. Environment variable: Show more |
string |
|
The key used to retrieve the key store password. If the selected credential provider does not support the key, the password is not retrieved. Otherwise, the retrieved value is used to open the key store. Environment variable: Show more |
string |
|
The key used to retrieve the key store alias password. If the selected credential provider does not contain the key, the alias password is not retrieved. Otherwise, the retrieved value is used to access the alias Environment variable: Show more |
string |
|
List of the trusted cert paths (Pem format). Environment variable: Show more |
list of path |
|
Path to the trust store file (P12 / PFX format). Environment variable: Show more |
path |
required |
Password of the trust store. If not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the trust store. Environment variable: Show more |
string |
|
Provider of the trust store. Environment variable: Show more |
string |
|
Path to the trust store file (JKS format). Environment variable: Show more |
path |
required |
Password of the trust store. If not set, the password must be retrieved from the credential provider. Environment variable: Show more |
string |
|
Alias of the key in the trust store. Environment variable: Show more |
string |
|
Provider of the trust store. Environment variable: Show more |
string |
|
The name of the "credential" bucket (map key → passwords) to retrieve from the A credential provider offers a way to retrieve the key store password as well as alias password. Note that the credential provider is only used if the passwords are not set in the configuration. Environment variable: Show more |
string |
|
The name of the bean providing the credential provider. The name is used to select the credential provider to use. The credential provider must be exposed as a CDI bean and with the If not set, the default credential provider is used. Environment variable: Show more |
string |
|
The key used to retrieve the trust store password. If the selected credential provider does not contain the configured key, the password is not retrieved. Otherwise, the retrieved value is used to open the trust store. Environment variable: Show more |
string |
|
Sets the ordered list of enabled cipher suites. If none is given, a reasonable default is selected from the built-in ciphers. When suites are set, it takes precedence over the default suite defined by the Environment variable: Show more |
list of string |
|
Sets the ordered list of enabled TLS protocols. If not set, it defaults to Note that setting an empty list, and enabling TLS is invalid. You must at least have one protocol. Also, setting this replaces the default list of protocols. Environment variable: Show more |
list of string |
|
The timeout for the TLS handshake phase. If not set, it defaults to 10 seconds. Environment variable: Show more |
|
|
Enables the Application-Layer Protocol Negotiation (ALPN). Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection. Environment variable: Show more |
boolean |
|
Sets the list of revoked certificates (paths to files). A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore. Two formats are allowed: DER and PKCS#7 (also known as P7B). When using the DER format, you must pass DER-encoded CRLs. When using the PKCS#7 format, you must pass PKCS#7 Environment variable: Show more |
list of path |
|
If set to This is useful for testing, but should not be used in production. Environment variable: Show more |
boolean |
|
The hostname verification algorithm to use in case the server’s identity should be checked. Should be If set to If not set, the configured extension decides the default algorithm to use. For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol. Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS". Environment variable: Show more |
string |
|
When configured, the server will reload the certificates (from the file system for example) and fires a This property configures the period to reload the certificates. IF not set, the certificates won’t be reloaded automatically. However, the application can still trigger the reload manually using the The fired event is used to notify the application that the certificates have been updated, and thus proceed with the actual switch of certificates. Environment variable: Show more |
About the Duration format
To write duration values, use the standard You can also use a simplified format, starting with a number:
In other cases, the simplified format is translated to the
|
4. The registry API
While extensions automatically use the TLS registry, you can also access the TLS configuration programmatically through the registry API.
To access the TLS configuration, inject the TlsConfigurationRegistry
bean.
You can retrieve a named TLS configuration by calling get("<NAME>")
or the default configuration by calling getDefault()
.
@Inject
TlsConfigurationRegistry certificates;
// ...
TlsConfiguration def = certificates.getDefault().orElseThrow();
TlsConfiguration named = certificates.get("name").orElseThrow();
//...
The TlsConfiguration
object contains the keystores, truststores, cipher suites, protocols, and other properties.
It also provides a way to create an SSLContext
from the configuration.
You can also use the TlsConfiguration
object to configure the Vert.x client or server, such as KeyCertOptions
, TrustOptions
, and so on.
5. Registering a certificate from an extension
This section is only for extension developers. An extension can register a certificate in the TLS registry. This is useful when an extension needs to provide a certificate to the application or provides a different format.
To register a certificate in the TLS registry by using the extension, the processor extension must produce a TlsCertificateBuildItem
composed of a name and a CertificateSupplier
.
TlsCertificateBuildItem item = new TlsCertificateBuildItem("named",
new MyCertificateSupplier());
The certificate supplier is a runtime object generally retrieved by using a recorder method.
public class MyCertificateSupplier implements Supplier<TlsConfiguration> {
@Override
public TlsConfiguration get() {
try {
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(getClass().getResourceAsStream("target/certs/test-registration-keystore.p12"),
"password".toCharArray());
KeyStore ts = KeyStore.getInstance("PKCS12");
ts.load(getClass().getResourceAsStream("target/certs/test-registration-truststore.p12"),
"password".toCharArray());
return new BaseTlsConfiguration() {
@Override
public KeyStore getKeyStore() {
return ks;
}
@Override
public KeyStore getTrustStore() {
return ts;
}
};
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
6. Startup checks
When an application that uses the TLS extension starts, the TLS registry performs several checks to ensure the configuration is correct:
-
Keystores and truststores are accessible.
-
Aliases are available and accessible in the keystores and truststores.
-
Certificates are valid.
-
Cipher suites and protocols are valid.
-
Certificate Revocation Lists (CRLs) are valid.
If any of these checks fail, the application will not start.
7. Reloading certificates
The TlsConfiguration
obtained from the TLSConfigurationRegistry
includes a mechanism for reloading certificates.
The reload
method refreshes the keystores and truststores, typically by reloading them from the file system.
The reload operation is not automatic and must be triggered manually.
Additionally, the TlsConfiguration implementation must support reloading (which is the case for the configured certificate).
|
The reload
method returns a boolean
indicating whether the reload was successful.
A value of true
means the reload operation was successful, not necessarily that there were updates to the certificates.
After a TlsConfiguration
has been reloaded, servers and clients using this configuration may need to perform specific actions to apply the new certificates.
The recommended approach for informing clients and servers about the certificate reload is to fire a CDI event of
type io.quarkus.tls.CertificateUpdatedEvent
.
To do so, inject a CDI event of this type and fire it when a reload occurs.
-
Manually triggering a reload and firing a
CertificateUpdatedEvent
:
// in the class that performs the reload @Inject Event<CertificateUpdatedEvent> event; @Inject TlsConfigurationRegistry registry; public void reload() { TlsConfiguration config = registry.get("name").orElseThrow(); if (config.reload()) { event.fire(new CertificateUpdatedEvent("name", config)); } } // In the server or client code public void onReload(@Observes CertificateUpdatedEvent reload) { if ("name".equals(event.getName())) { server.updateSSLOptions(reload.tlsConfiguration().getSSLOptions()); // Or update the SSLContext. } }
7.1. Periodic reloading
The TLS registry includes a built-in mechanism for periodically checking the file system for changes and reloading certificates.
The reload-period
property specifies the interval for reloading certificates and emits a CertificateUpdatedEvent
each time certificates are reloaded.
-
To configure periodic certificate reloading:
quarkus.tls.reload-period=1h quarkus.tls.key-store.pem.0.cert=tls.crt quarkus.tls.key-store.pem.0.key=tls.key
-
For each named configuration, you can set a specific reload period:
quarkus.tls.http.reload-period=30min quarkus.tls.http.key-store.pem.0.cert=tls.crt quarkus.tls.http.key-store.pem.0.key=tls.key
Impacted server and client may need to listen to the CertificateUpdatedEvent to apply the new certificates.
This is automatically done for the Quarkus HTTP server, including the management interface if it is enabled.
|
8. Using Kubernetes secrets or cert-manager
When running in Kubernetes, you can use Kubernetes secrets to store the keystores and truststores.
8.1. Using Kubernetes secrets
-
By using the secret below as an example, create a secret with the keystores and truststores to use Kubernetes secrets:
apiVersion: v1 data: tls.crt: ... tls.key: ... kind: Secret metadata: name: my-certs type: kubernetes.io/tls
-
Mount the secret as a volume in the pod, which is the easiest way to use these certificates:
apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: demo app.kubernetes.io/version: 1.0.0-SNAPSHOT app.kubernetes.io/managed-by: quarkus name: demo spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: demo app.kubernetes.io/version: 1.0.0-SNAPSHOT template: metadata: labels: app.kubernetes.io/managed-by: quarkus app.kubernetes.io/name: demo app.kubernetes.io/version: 1.0.0-SNAPSHOT spec: containers: - env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: ... imagePullPolicy: IfNotPresent name: demo ports: - containerPort: 8443 # Configure the port to be HTTPS name: http protocol: TCP volumeMounts: - mountPath: /certs name: my-volume volumes: - name: my-volume secret: defaultMode: 0666 # Set the permissions, otherwise the pod may not be able to read the files optional: false secretName: my-certs # Reference the secret
-
Configure the TLS registry to use the certificates:
# ... # TLS Registry configuration %prod.quarkus.tls.http.key-store.pem.0.cert=/certs/tls.crt %prod.quarkus.tls.http.key-store.pem.0.key=/certs/tls.key # HTTP server configuration: %prod.quarkus.http.tls-configuration-name=http %prod.quarkus.http.insecure-requests=disabled
You can combine this with the periodic reloading to automatically reload the certificates when they change.
8.2. Using cert-manager
When running in Kubernetes, you can use cert-manager to generate and renew certificates automatically. Cert-manager produces a secret containing the keystores and truststores. Configuring the TLS registry is the same as when using Kubernetes secrets. The generated secret includes the following files:
-
tls.crt
for the certificate -
tls.key
for the private key -
ca.crt
for the CA certificate (if needed)-
To configure automatic certificate renewal, use the periodic reloading mechanism:
-
# ...
# TLS Registry configuration
%prod.quarkus.tls.http.key-store.pem.0.cert=/certs/tls.crt
%prod.quarkus.tls.http.key-store.pem.0.key=/certs/tls.key
%prod.quarkus.tls.http.reload-period=24h
# HTTP server configuration:
%prod.quarkus.http.tls-configuration-name=http
%prod.quarkus.http.insecure-requests=disabled
9. Working with OpenShift serving certificates
When running your application in OpenShift, you can use the OpenShift serving certificates to generate and renew TLS certificates automatically. The Quarkus TLS registry can use these certificates and Certificate Authority (CA) files to handle HTTPS traffic and validate certificates securely.
9.1. Acquiring a certificate
To have OpenShift generate a serving certificate, annotate an existing Service object. The generated certificate will be stored in a secret, which you can then mount in your pod.
The following snippet uses an example Service object with an annotation for generating a TLS certificate.
-
View the configuration of the Service object:
apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... app.kubernetes.io/managed-by: quarkus name: hero-service spec: ports: - name: http port: 443 protocol: TCP targetPort: 8443 selector: app.kubernetes.io/name: ... app.kubernetes.io/version: ... type: ClusterIP
-
To generate a certificate, add his annotation to your already created OpenShift
service
:oc annotate service hero-service \ service.beta.openshift.io/serving-cert-secret-name=my-tls-secret
The annotation
service.beta.openshift.io/serving-cert-secret-name
instructs OpenShift to generate a certificate and store it in a secret namedmy-tls-secret
. -
Mount the secret as a volume in your pod by updating your Deployment configuration:
apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... name: my-service spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... template: metadata: labels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... spec: volumes: - name: my-tls-secret (1) secret: secretName: my-tls-secret containers: - env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: QUARKUS_TLS_KEY_STORE_PEM_ACME_CERT (2) value: /etc/tls/tls.crt - name: QUARKUS_TLS_KEY_STORE_PEM_ACME_KEY value: /etc/tls/tls.key image: ... imagePullPolicy: Always name: my-service volumeMounts: (3) - name: my-tls-secret mountPath: /etc/tls readOnly: true ports: - containerPort: 8443 (4) name: https protocol: TCP
1 Define a volume to mount the secret. Use the same name as the secret declared above. 2 Set up the keystore with the paths to the certificate and private key. This can be configured by using environment variables or configuration files. This example uses environment variables. OpenShift serving certificates always create the tls.crt
andtls.key
files.3 Mount the secret in the container. Ensure that the path matches the one used in the configuration (here /etc/tls
).4 Configure the port to serve HTTPS. -
Deploy your application to use the certificate generated by OpenShift. This will make the service available over HTTPS.
By setting the This configures the default keystore for the Quarkus HTTP server, which allows the server to use the certificate. For information about using this certificate in a named configuration, see Referencing a TLS configuration. |
9.2. Trusting the Certificate Authority (CA)
Now that your service uses a certificate issued by OpenShift, configure your client applications to trust this certificate. To do so, create a ConfigMap that holds the CA certificate, and then configure the pod to mount it. The following steps use a Quarkus REST client as an example, but the same approach applies to any client.
-
Start by defining an empty ConfigMap, which will be populated with the CA certificate:
apiVersion: v1 kind: ConfigMap metadata: name: client-tls-config annotations: service.beta.openshift.io/inject-cabundle: "true"
The
service.beta.openshift.io/inject-cabundle
annotation is used to inject the CA certificate into the ConfigMap. Note that the ConfigMap initially has no data — it is empty. During its processing, OpenShift injects the CA certificate into the ConfigMap in theservice-ca.crt
file. -
Mount the ConfigMap by adding a volume and mounting it in your Deployment configuration:
apiVersion: apps/v1 kind: Deployment metadata: name: my-service-client labels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... template: metadata: labels: app.kubernetes.io/name: ... app.kubernetes.io/version: ... spec: containers: - name: my-service-client image: ... ports: - name: http containerPort: 8080 protocol: TCP volumeMounts: (1) - name: my-client-volume mountPath: /deployments/tls volumes: (2) - name: my-client-volume configMap: name: client-tls-config
1 Mount the ConfigMap in the container. Ensure that the path matches the one used in the configuration (in this example /deployments/tls
).2 Define a volume to mount the ConfigMap and reference the ConfigMap that receives the CA certificate. -
Configure the REST client to use this CA certificate.
Consider the following REST client interface:
package org.acme; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; @RegisterRestClient(baseUri = "https://hero-service.cescoffi-dev.svc", configKey = "hero") (1) public interface HeroClient { record Hero (Long id, String name, String otherName, int level, String picture, String powers) { } @GET @Path("/api/heroes/random") Hero getRandomHero(); }
1 Configure the base URI and the configuration key. The name must be in the format <service-name>.<namespace>.svc
. Otherwise, the certificate will not be trusted. Ensure that theconfigKey
is also configured. -
Configure the REST client to trust the CA certificate generated by OpenShift:
quarkus.rest-client.hero.tls-configuration-name=my-service-tls (1) quarkus.tls.my-service-tls.trust-store.pem.certs=/deployments/tls/service-ca.crt (2)
1 Configure the hero
REST client with the TLS configuration namedmy-service-tls
.2 Set up the my-service-tls
TLS configuration, specifically the truststore with the CA certificate. Ensure the path matches the one used in the Kubernetes Deployment configuration. The file is always namedservice-ca.crt
.
9.3. Certificate renewal
OpenShift automatically renews the serving certificates it generates. When the certificate is renewed, the secret is updated with the new certificate and private key.
To ensure your application uses the new certificate, you can use the periodic reloading feature of the Quarkus TLS registry.
By setting the reload-period
property, the TLS registry will periodically check the keystores and truststores for changes and reload them if needed:
quarkus.tls.reload-period=24h
-
Optionally, implement a custom mechanism to reload the certificates when the secret is updated. See Reloading certificates for more information.
10. Quarkus CLI commands and development Certificate Authority
The TLS registry provides Quarkus CLI commands to generate a development Certificate Authority (CA) and trusted certificates. This avoids having to use self-signed certificates locally.
The following snippet shows the description of the quarkus tls
command, containing two sub-commands:
> quarkus tls
Install and Manage TLS development certificates
Usage: tls [COMMAND]
Commands:
generate-quarkus-ca Generate Quarkus Dev CA certificate and private key. (1)
generate-certificate Generate a TLS certificate with the Quarkus Dev CA if
available. (2)
1 | This is useful for local development, as it allows Quarkus to act as its own certificate authority, which can be used to sign other certificates. |
2 | This is useful when creating a certificate for secure communication between your application and external services or clients during development. |
In most cases, you generate the Quarkus Development CA once and then generate certificates signed by this CA.
The Quarkus Development CA is a Certificate Authority that can be used to sign certificates locally.
It is only valid for development purposes and only trusted on the local machine.
The generated CA is located in $HOME/.quarkus/quarkus-dev-root-ca.pem
, and installed in the system truststore.
10.1. Understanding self-signed versus CA-signed certificates
When developing with TLS, you can use two types of certificates:
-
Self-signed certificate: The certificate is signed by the same entity that uses it. It is not trusted by default. This type of certificate is typically used when a Certificate Authority (CA) is unavailable or you want a simple setup. It is not suitable for production and should only be used for development.
-
CA-signed certificate: The certificate is signed by a Certificate CA, a trusted entity. This certificate is trusted by default and is the standard choice for production environments.
While you can use a self-signed certificate for local development, it has limitations.
Browsers and tools like curl
, wget
, and httpie
typically do not trust self-signed certificates, requiring manual import of the CA in your OS.
To avoid this issue, you can use a development CA to sign certificates and install the CA in the system truststore. This ensures that the system trusts all certificates signed by the CA.
Quarkus simplifies the generation of a development CA and the certificates that are signed by this CA.
10.2. Generate a development CA
The development CA is a Certificate Authority that can be used to sign certificates locally. Note that the generated CA is only valid for development purposes and can only be trusted on the local machine.
To generate a development CA:
quarkus tls generate-ca-certificate --install \ (1)
--renew \ (2)
--truststore (3)
1 | --install installs the CA in the system truststore.
Windows, Mac, and Linux (Fedora and Ubuntu) are supported.
However, depending on your browser, you might need to import the generated CA manually.
Refer to your browser’s documentation for more information.
The generated CA is located in $HOME/.quarkus/quarkus-dev-root-ca.pem . |
2 | --renew renews the CA if it already exists.
When this option is used, the private key is changed, so you need to regenerate the certificates signed by the CA.
If the CA expires, it will automatically renew without requiring the --renew option. |
3 | --truststore also generates a PKCS12 truststore containing the CA certificate. |
When installing the certificate, your system might ask for your password to install the certificate in the system truststore or ask for confirmation in a dialog on Windows. |
On Windows, run as administrator from an elevated terminal to install the CA in the system truststore. |
10.3. Generating a trusted (signed) certificate
-
-
After installing the Quarkus Development CA, generate a trusted certificate. This certificate will be signed by the Quarkus Development CA and trusted by your system.
quarkus tls generate-certificate --name my-cert
This command generates a certificate signed by the Quarkus Development CA, which your system will trust if properly installed or imported.
The certificate is stored in
./.certs/
. Two files are generated:
-
-
$NAME-keystore.p12
: Contains the private key and the certificate. It is password-protected. -
$NAME-truststore.p12
: Contains the CA certificate, which you can use as a truststore, for example, for testing.Additional options are available:
Usage: tls generate-certificate [-hrV] [-c=<cn>] [-d=<directory>] -n=<name> [-p=<password>] Generate a TLS certificate with the Quarkus Dev CA if available. -c, --cn=<cn> The common name of the certificate. Default is 'localhost' -d, --directory=<directory> The directory in which the certificates will be created. Default is `.certs` -n, --name=<name> Name of the certificate. It will be used as file name and alias in the keystore -p, --password=<password> The password of the keystore. Default is 'password' -r, --renew Whether existing certificates will need to be replaced
A
.env
file is also generated when generating the certificate, making the Quarkus dev mode aware of these certificates.-
Run your application in dev mode to use these certificates:
./mvnw quarkus:dev ... INFO [io.quarkus] (Quarkus Main Thread) demo 1.0.0-SNAPSHOT on JVM (powered by Quarkus 999-SNAPSHOT) started in 1.286s. Listening on: http://localhost:8080 and https://localhost:8443
-
Open the Dev UI by using HTTPS:
https://localhost:8443/q/dev
or by issuing acurl
request:curl https://localhost:8443/hello Hello from Quarkus REST%
Quarkus generates a self-signed certificate if the Quarkus Development CA is not installed.
-
10.4. Generating a self-signed certificate
Even if the Quarkus Development CA is installed, you can generate a self-signed certificate:
quarkus tls generate-certificate --name my-cert --self-signed
This generates a self-signed certificate that the Quarkus Development CA does not sign.
10.5. Uninstalling the Quarkus Development CA
Uninstalling the Quarkus Development CA from your system depends on your OS.
10.5.1. Deleting the CA certificate on Windows
-
List the CA certificate on Windows by using the Powershell terminal with administrator rights:
# First, we need to identify the serial number of the CA certificate > certutil -store -user Root root "Trusted Root Certification Authorities" ================ Certificate 0 ================ Serial Number: 019036d564c8 Issuer: O=Quarkus, CN=quarkus-dev-root-ca # <-That's the CA, copy the Serial Number (the line above) NotBefore: 6/19/2024 11:07 AM NotAfter: 6/20/2025 11:07 AM Subject: C=Cloud, S=world, L=home, OU=Quarkus Dev, O=Quarkus Dev, CN=quarkus-dev-root-ca Signature matches Public Key Non-root Certificate uses same Public Key as Issuer Cert Hash(sha1): 3679bc95b613a2112a3d3256fe8321b6eccce720 No key provider information Cannot find the certificate and private key for decryption. CertUtil: -store command completed successfully.
-
Delete the stored CA certificate and replace
$Serial_Number
with the serial number of the CA certificate:> certutil -delstore -user -v Root $Serial_Number
11. Automatic certificate management with Let’s Encrypt
Let’s Encrypt is a free, automated certificate authority provided by Internet Security Research Group.
Let’s Encrypt uses Automated certificate management environment (ACME) protocol to support automatic certificate issuance and renewal. To learn more about Let’s Encrypt and ACME, see Let’s Encrypt documentation.
The TLS registry extension allows a CLI ACME client to issue and renew Let’s Encrypt certificates. Your application uses this TLS registry extension to resolve ACME protocol challenges.
Follow the steps below to have your Quarkus application prepared and automatically updated with new and renewed Let’s Encrypt certificates.
11.1. Requisitos previos
-
Ensure that a fully resolvable DNS domain name is available that you can use to access your application. You can use this domain name to create a Let’s Encrypt account and pass the Let’s Encrypt ACME challenges to prove that you own this domain. You can use ngrok to start experimenting with the Quarkus Let’s Encrypt ACME feature; for more information, see the Testing with ngrok section below.
-
Your Quarkus HTTPS application must use a build-time property to enable a Let’s Encrypt ACME challenge route:
quarkus.tls.lets-encrypt.enabled=true
The TLS registry can manage the challenge process from either the main HTTP interface or the management interface. Using a management interface is strongly recommended to let Quarkus deal with ACME challenge configuration separately from the main application’s deployment and security requirements:
quarkus.tls.lets-encrypt.enabled=true quarkus.management.enabled=true
Port 80
The Let’s Encrypt ACME challenge requires that the application is reachable on port We also recommend setting
|
The challenge is served from the primary HTTP interface (accessible from your DNS domain name).
Do not start your application yet. |
11.2. Application preparation
Before you request a Let’s Encrypt certificate:
-
Move to the root directory of your application.
-
Run the TLS registry Let’s Encrypt CLI
prepare
command:quarkus tls lets-encrypt prepare --domain=<domain-dns-name>
The
prepare
command does the following:-
Creates a
.letsencrypt
folder in your application’s root directory -
Creates a self-signed domain certificate and private key for your application configured in the previous Let’s Encrypt prerequisites step to be able to start and accept HTTPS requests
-
Creates a
.env
configuration file in your application’s root directory and configures the application to use the self-signed domain certificate and private key (until we get the Let’s Encrypt certificate)The following snippet shows an example of the generated
.env
file:quarkus.tls.key-store.pem.acme.cert=.letsencrypt/lets-encrypt.crt quarkus.tls.key-store.pem.acme.key=.letsencrypt/lets-encrypt.key
The .env
file does not contain thequarkus.tls.lets-encrypt.enabled
andquarkus.management.enabled
properties as they are build-time properties that require a rebuild of the application.
-
11.3. Starting your application
-
Start your application:
java -jar quarkus-run.jar
-
Access your application endpoint by using
https://your-domain-name:8443/
; for example,https://your-domain-name:8443/hello
, and accept a self-signed certificate in the browser. -
Keep the application running and request your first Let’s Encrypt certificate.
-
11.4. Issue a certificate
-
From the application directory, run the
issue-certificate
command to acquire your first Let’s Encrypt certificate:quarkus tls lets-encrypt issue-certificate \ --domain=<domain-dns-name> \ (1) --email=<your contact email> \ (2) --management-url=https://localhost:9000 (3)
1 Set your domain name. 2 Provide your contact email address that Let’s Encrypt can use to contact you in case of any issues with your Let’s Encrypt account. 3 Set your application management URL, which you can use to handle ACME challenges. Use https://localhost:8443/
if you choose not to enable a management router in the Let’s Encrypt prerequisites step. -
During the processing of the
issue-certificate
command, the TLS registry CLI performs the following tasks:-
Checks if the application is prepared to serve the challenge.
-
Creates and records Let’s Encrypt account information.
-
Issues a Let’s Encrypt certificate request.
-
Interacts with the Quarkus application to resolve ACME challenges.
When the Let’s Encrypt certificate chain and private key have been successfully acquired, they are converted to PEM format and copied to your application’s .letsencrypt
folder. The TLS registry is informed that a new certificate and private key are ready and reloads them automatically.
-
-
Access your application’s endpoint using
https://your-domain-name:8443/
again. Confirm in the browser that the Let’s Encrypt certificate authority is now signing your domain certificate.Note that currently, the
issue-certificate
command implicitly creates a Let’s Encrypt account to make it easy for users to get started with the ACME protocol. Support for the Let’s Encrypt account management will evolve further.
11.5. Renewing a certificate
Renewing certificates is similar to issuing the first certificate, but it requires an existing account created during the Issue certificates with Let’s Encrypt step.
Run the following command to renew your Let’s Encrypt certificate and set your domain DNS name:
quarkus tls lets-encrypt renew-certificate \
--domain=<domain-dns-name>
During this command, TLS registry CLI reads a Let’s Encrypt account information recorded during the Issue certificates with Let’s Encrypt step, issues a Let’s Encrypt certificate request, and communicates with a Quarkus application to have ACME challenges resolved.
Once the Let’s Encrypt certificate chain and private key have been successfully renewed, they are converted to PEM format and copied to your application’s .letsencrypt
folder.
The TLS registry is notified when a new certificate and private key are ready, and it automatically reloads them.
11.6. Testing with ngrok
ngrok can be used to provide a secure HTTPS tunnel to your application running on localhost, and make it easy to test HTTPS based applications.
ngrok provides a simplified way of getting started with the Quarkus Let’s Encrypt ACME feature.
-
Initiate testing by asking ngrok to reserve a domain:
You can use Quarkiverse ngrok in dev mode or reserve it directly in the ngrok dashboard. Unfortunately, you cannot use your ngrok domain to test the Quarkus Let’s Encrypt ACME feature immediately. This is because ngrok itself uses Let’s Encrypt and intercepts ACME challenges that are meant to be handled by the Quarkus application instead.
-
Therefore, remove the ngrok Let’s Encrypt certificate policy from your ngrok domain:
ngrok api --api-key <YOUR-API-KEY> reserved-domains delete-certificate-management-policy <YOUR-RESERVED-DOMAIN-ID>
YOUR-RESERVED-DOMAIN-ID
is your reserved domain’s id which starts fromrd_
, you can find it in the ngrok dashboard domains section. -
Because ngrok only forwards ACME challenges over HTTP, start ngrok by using the following command:
ngrok http --domain <YOUR-NGROK-DOMAIN> 8080 --scheme http (1)
1 8080
is the localhost HTTP port your application is listening on. Note that the application will be accessible fromhttp://YOUR-NGROK-DOMAIN
on port80
but redirected to your local machine on port8080
. -
Test the Quarkus Let’s Encrypt ACME feature from your local machine.