Hi,
We use the ACME protocol with Let’s Encrypt
to automatically and programmatically request and generate new server
certificates for SSL in conjunction with an embedded Jetty 9 web server
(the Jetty server is configured and started with our own code, not a
file based configuration). We therefore generate a new KeyStore or can
modify the existing KeyStore instance with the new certificate chain.
As such, every 85 days or so, we wish to
programmatically either:
1.
Change the KeyStore in the SSL
configuration for the HTTPS ServerConnector (in SSLContextFactory or
alike) if it is possible during runtime (but the existing SSLContext
must somehow be refreshed – all this must be done when the
ServerConnector is stopped and we would like to keep it running),
2.
Restart the connector if it is possible
after reconfiguration (avoiding potential stops in SSLServerSocket
listener),
3.
Remove and stop the existing connector,
create the new connector, add it to the server and start it (the
connector),
4.
Use some kind of dynamic
KeyManagerFactory?
5.
Subclass SSLContextFactory or something
like that…
How should we go about doing it the best way?
Is it even possible to do this without
temporarily stopping the SSLServerSocket?
Best regards,
Chri
