How it works
The starter does its work very early in the Spring Boot lifecycle, before the application context is
refreshed. It is not an @AutoConfiguration and contributes no beans — it only adds properties to the
environment so that Spring Boot's existing SSL support configures the embedded web server for TLS.
The environment post-processor
EnableTlsEnvPostprocessor implements Spring Boot's EnvironmentPostProcessor and is registered in
META-INF/spring.factories:
org.springframework.boot.EnvironmentPostProcessor=\
ch.admin.bit.jeap.tls.EnableTlsEnvPostprocessor
On postProcessEnvironment it:
- checks
jeap.web.tls.enabled(defaulttrue); if disabled, it does nothing; - resolves the hostname from
jeap.web.tls.self-signed-cert.hostname, falling back tospring.application.name, then tounknown; - resolves the validity from
jeap.web.tls.self-signed-cert.days-valid(default3650days); - generates a self-signed key/certificate pair (
PemKeyCertPair); - adds an
spring.ssl.bundle.pem.web-server.*keystore, setsserver.ssl.bundle=web-serverandserver.http2.enabled=truein a new property sourcejeap-tls-config.
The pair is generated only once per post-processor instance, and the whole property source is added
only if server.ssl.bundle is not already set, so an explicitly configured SSL bundle takes
precedence.
Certificate generation
PemKeyCertPairFactory builds the self-signed certificate with BouncyCastle (bcpkix-jdk18on):
- an RSA-2048 key pair (
SecureRandom); - a self-signed
X509v3certificate signed withSHA256withRSA; - the hostname as subject
CNand as adNSNamesubject alternative name; - extensions:
basicConstraints(CA = false),keyUsage(digital signature + key encipherment) andextendedKeyUsage(serverAuth).
Both the private key and the certificate are returned PEM-encoded in the PemKeyCertPair record
(key, cert), ready to feed into the PEM SSL bundle.
HTTP/2
TLS is a precondition for HTTP/2 in practice (browsers only support HTTP/2 over TLS). Because the
starter enables TLS anyway, it also sets server.http2.enabled=true so the service benefits from the
more efficient HTTP/2 protocol.