For a similar purpose (adding dynamic user-certificates to trust-store)
I have extended SslContextfactory to use a special TrustManager that
allows reloading the KeyStore contents from disk on demand (e.g.
adding/removing new client-key).
You should be able to do similar things for KeyManager, maybe the
KeyStoreProvider is more apropiate for this.
Am 25.08.2016 11:53, schrieb Mindus Support:
Hi,
We use the ACME protocol with Let's Encrypt to automatically and
programmatically request and generate new server certificates for SSL
in conjunction with an embedded Jetty 9 web server (the Jetty server
is configured and started with our own code, not a file based
configuration). We therefore generate a new KeyStore or can modify the
existing KeyStore instance with the new certificate chain.
As such, every 85 days or so, we wish to programmatically either:
1. Change the KeyStore in the SSL configuration for the HTTPS
ServerConnector (in SSLContextFactory or alike) if it is possible
during runtime (but the existing SSLContext must somehow be refreshed
-- all this must be done when the ServerConnector is stopped and we
would like to keep it running),
2. Restart the connector if it is possible after reconfiguration
(avoiding potential stops in SSLServerSocket listener),
3. Remove and stop the existing connector, create the new connector,
add it to the server and start it (the connector),
4. Use some kind of dynamic KeyManagerFactory?
5. Subclass SSLContextFactory or something like that...
How should we go about doing it the best way?
Is it even possible to do this without temporarily stopping the
SSLServerSocket?
Best regards,
Chri
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
