This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new d7c8879fd483 CAMEL-23736: Make self-signed dev certificate key
algorithm configurable (default EC)
d7c8879fd483 is described below
commit d7c8879fd483ca5f3119c9d6f9519ee31ca7ef7a
Author: Andrea Cosentino <[email protected]>
AuthorDate: Thu Jun 11 13:06:10 2026 +0200
CAMEL-23736: Make self-signed dev certificate key algorithm configurable
(default EC)
The development-only self-signed certificate (camel.ssl.selfSigned=true)
hardcoded RSA-2048 with SHA256withRSA. Add a camel.ssl.selfSignedKeyType option
defaulting to EC (NIST P-256, SHA256withECDSA) with RSA still selectable,
keeping the dependency-free hand-rolled DER encoding. Regenerated camel-main
config metadata and documented the changed default in the 4.21 upgrade guide.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
---
.../main/camel-main-configuration-metadata.json | 1 +
.../main/SSLConfigurationPropertiesConfigurer.java | 7 +++
.../camel-main-configuration-metadata.json | 1 +
core/camel-main/src/main/docs/main.adoc | 3 +-
.../org/apache/camel/main/BaseMainSupport.java | 2 +-
.../camel/main/SSLConfigurationProperties.java | 23 ++++++++
.../camel/main/SelfSignedCertificateGenerator.java | 69 +++++++++++++++++-----
.../java/org/apache/camel/main/MainSSLTest.java | 24 ++++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 10 ++++
9 files changed, 124 insertions(+), 16 deletions(-)
diff --git
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json
index 14ec2eeddbd2..887cc21c6825 100644
---
a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json
+++
b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json
@@ -374,6 +374,7 @@
{ "name": "camel.ssl.secureRandomProvider", "required": false,
"description": "To use a specific provider for creating SecureRandom. The list
of available providers returned by java.security.Security.getProviders() or
null to use the highest priority provider implementing the secure socket
protocol.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties",
"type": "string", "javaType": "java.lang.String", "secret": false },
{ "name": "camel.ssl.secureSocketProtocol", "required": false,
"description": "The protocol for the secure sockets created by the SSLContext.
See
https:\/\/docs.oracle.com\/en\/java\/javase\/17\/docs\/specs\/security\/standard-names.html",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"string", "javaType": "java.lang.String", "defaultValue": "TLSv1.3", "secret":
false },
{ "name": "camel.ssl.selfSigned", "required": false, "description":
"Whether to generate a self-signed certificate for development use when no
keystore is configured. This can be used in development environment to easily
enable HTTPS without providing a keystore. Do NOT use this in production as the
certificate is not trusted and is regenerated on each restart.", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "boolean",
"javaType": "boolean", "defaultValue" [...]
+ { "name": "camel.ssl.selfSignedKeyType", "required": false, "description":
"The key algorithm to use when generating the self-signed certificate for
development use (requires selfSigned to be enabled). Supported values are EC
(default, NIST P-256) and RSA (2048-bit).", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "enum", "javaType":
"java.lang.String", "defaultValue": "EC", "secret": false, "enum": [ "EC",
"RSA" ] },
{ "name": "camel.ssl.sessionTimeout", "required": false, "description":
"Timeout in seconds to use for SSLContext. The default is 24 hours.",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"integer", "javaType": "int", "defaultValue": 86400, "secret": false },
{ "name": "camel.ssl.signatureSchemes", "required": false, "description":
"List of TLS\/SSL signature schemes. Multiple names can be separated by comma.
Signature schemes control which signature algorithms are available during the
TLS handshake, including post-quantum signature algorithms such as ML-DSA.",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"string", "javaType": "java.lang.String", "secret": false },
{ "name": "camel.ssl.signatureSchemesExclude", "required": false,
"description": "Filters TLS\/SSL signature schemes. This filter is used for
excluding signature schemes that match the naming pattern. Multiple names can
be separated by comma. Notice that if the signatureSchemes option has been
configured then the include\/exclude filters are not in use.", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "string",
"javaType": "java.lang.String", "secret": false },
diff --git
a/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java
b/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java
index 1b5b529834b7..2a48227139ea 100644
---
a/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java
+++
b/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java
@@ -42,6 +42,7 @@ public class SSLConfigurationPropertiesConfigurer extends
org.apache.camel.suppo
map.put("SecureRandomProvider", java.lang.String.class);
map.put("SecureSocketProtocol", java.lang.String.class);
map.put("SelfSigned", boolean.class);
+ map.put("SelfSignedKeyType", java.lang.String.class);
map.put("SessionTimeout", int.class);
map.put("SignatureSchemes", java.lang.String.class);
map.put("SignatureSchemesExclude", java.lang.String.class);
@@ -94,6 +95,8 @@ public class SSLConfigurationPropertiesConfigurer extends
org.apache.camel.suppo
case "secureSocketProtocol":
target.setSecureSocketProtocol(property(camelContext, java.lang.String.class,
value)); return true;
case "selfsigned":
case "selfSigned": target.setSelfSigned(property(camelContext,
boolean.class, value)); return true;
+ case "selfsignedkeytype":
+ case "selfSignedKeyType":
target.setSelfSignedKeyType(property(camelContext, java.lang.String.class,
value)); return true;
case "sessiontimeout":
case "sessionTimeout": target.setSessionTimeout(property(camelContext,
int.class, value)); return true;
case "signatureschemes":
@@ -158,6 +161,8 @@ public class SSLConfigurationPropertiesConfigurer extends
org.apache.camel.suppo
case "secureSocketProtocol": return java.lang.String.class;
case "selfsigned":
case "selfSigned": return boolean.class;
+ case "selfsignedkeytype":
+ case "selfSignedKeyType": return java.lang.String.class;
case "sessiontimeout":
case "sessionTimeout": return int.class;
case "signatureschemes":
@@ -218,6 +223,8 @@ public class SSLConfigurationPropertiesConfigurer extends
org.apache.camel.suppo
case "secureSocketProtocol": return target.getSecureSocketProtocol();
case "selfsigned":
case "selfSigned": return target.isSelfSigned();
+ case "selfsignedkeytype":
+ case "selfSignedKeyType": return target.getSelfSignedKeyType();
case "sessiontimeout":
case "sessionTimeout": return target.getSessionTimeout();
case "signatureschemes":
diff --git
a/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json
b/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json
index 14ec2eeddbd2..887cc21c6825 100644
---
a/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json
+++
b/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json
@@ -374,6 +374,7 @@
{ "name": "camel.ssl.secureRandomProvider", "required": false,
"description": "To use a specific provider for creating SecureRandom. The list
of available providers returned by java.security.Security.getProviders() or
null to use the highest priority provider implementing the secure socket
protocol.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties",
"type": "string", "javaType": "java.lang.String", "secret": false },
{ "name": "camel.ssl.secureSocketProtocol", "required": false,
"description": "The protocol for the secure sockets created by the SSLContext.
See
https:\/\/docs.oracle.com\/en\/java\/javase\/17\/docs\/specs\/security\/standard-names.html",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"string", "javaType": "java.lang.String", "defaultValue": "TLSv1.3", "secret":
false },
{ "name": "camel.ssl.selfSigned", "required": false, "description":
"Whether to generate a self-signed certificate for development use when no
keystore is configured. This can be used in development environment to easily
enable HTTPS without providing a keystore. Do NOT use this in production as the
certificate is not trusted and is regenerated on each restart.", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "boolean",
"javaType": "boolean", "defaultValue" [...]
+ { "name": "camel.ssl.selfSignedKeyType", "required": false, "description":
"The key algorithm to use when generating the self-signed certificate for
development use (requires selfSigned to be enabled). Supported values are EC
(default, NIST P-256) and RSA (2048-bit).", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "enum", "javaType":
"java.lang.String", "defaultValue": "EC", "secret": false, "enum": [ "EC",
"RSA" ] },
{ "name": "camel.ssl.sessionTimeout", "required": false, "description":
"Timeout in seconds to use for SSLContext. The default is 24 hours.",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"integer", "javaType": "int", "defaultValue": 86400, "secret": false },
{ "name": "camel.ssl.signatureSchemes", "required": false, "description":
"List of TLS\/SSL signature schemes. Multiple names can be separated by comma.
Signature schemes control which signature algorithms are available during the
TLS handshake, including post-quantum signature algorithms such as ML-DSA.",
"sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type":
"string", "javaType": "java.lang.String", "secret": false },
{ "name": "camel.ssl.signatureSchemesExclude", "required": false,
"description": "Filters TLS\/SSL signature schemes. This filter is used for
excluding signature schemes that match the naming pattern. Multiple names can
be separated by comma. Notice that if the signatureSchemes option has been
configured then the include\/exclude filters are not in use.", "sourceType":
"org.apache.camel.main.SSLConfigurationProperties", "type": "string",
"javaType": "java.lang.String", "secret": false },
diff --git a/core/camel-main/src/main/docs/main.adoc
b/core/camel-main/src/main/docs/main.adoc
index c9edc37174f5..890332adbfe5 100644
--- a/core/camel-main/src/main/docs/main.adoc
+++ b/core/camel-main/src/main/docs/main.adoc
@@ -320,7 +320,7 @@ The camel.security supports 6 options, which are listed
below.
=== Camel SSL configurations
-The camel.ssl supports 27 options, which are listed below.
+The camel.ssl supports 28 options, which are listed below.
[width="100%",cols="2,5,^1,2",options="header"]
|===
@@ -345,6 +345,7 @@ The camel.ssl supports 27 options, which are listed below.
| *camel.ssl.secureRandomProvider* | To use a specific provider for creating
SecureRandom. The list of available providers returned by
java.security.Security.getProviders() or null to use the highest priority
provider implementing the secure socket protocol. | | String
| *camel.ssl.secureSocketProtocol* | The protocol for the secure sockets
created by the SSLContext. See
\https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html
| TLSv1.3 | String
| *camel.ssl.selfSigned* | Whether to generate a self-signed certificate for
development use when no keystore is configured. This can be used in development
environment to easily enable HTTPS without providing a keystore. Do NOT use
this in production as the certificate is not trusted and is regenerated on each
restart. | false | boolean
+| *camel.ssl.selfSignedKeyType* | The key algorithm to use when generating the
self-signed certificate for development use (requires selfSigned to be
enabled). Supported values are EC (default, NIST P-256) and RSA (2048-bit). |
EC | String
| *camel.ssl.sessionTimeout* | Timeout in seconds to use for SSLContext. The
default is 24 hours. | 86400 | int
| *camel.ssl.signatureSchemes* | List of TLS/SSL signature schemes. Multiple
names can be separated by comma. Signature schemes control which signature
algorithms are available during the TLS handshake, including post-quantum
signature algorithms such as ML-DSA. | | String
| *camel.ssl.signatureSchemesExclude* | Filters TLS/SSL signature schemes.
This filter is used for excluding signature schemes that match the naming
pattern. Multiple names can be separated by comma. Notice that if the
signatureSchemes option has been configured then the include/exclude filters
are not in use. | | String
diff --git
a/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java
b/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java
index c78b59f6fa50..d0b745a39c09 100644
--- a/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java
+++ b/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java
@@ -2268,7 +2268,7 @@ public abstract class BaseMainSupport extends BaseService
{
LOG.warn("Generating self-signed SSL certificate for development
use."
+ " Do NOT use this in production.");
String password = "camel-self-signed"; // NOSONAR
- KeyStore ks =
SelfSignedCertificateGenerator.generateKeyStore(password);
+ KeyStore ks =
SelfSignedCertificateGenerator.generateKeyStore(password,
sslConfig.getSelfSignedKeyType());
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setCamelContext(camelContext);
diff --git
a/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
b/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
index 68e177b85154..24ace35c4441 100644
---
a/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
+++
b/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
@@ -72,6 +72,8 @@ public class SSLConfigurationProperties implements
BootstrapCloseable {
private boolean trustAllCertificates;
@Metadata
private boolean selfSigned;
+ @Metadata(label = "advanced", defaultValue = "EC", enums = "EC,RSA")
+ private String selfSignedKeyType = "EC";
@Metadata(label = "advanced")
private String keyManagerAlgorithm;
@Metadata(label = "advanced")
@@ -401,6 +403,18 @@ public class SSLConfigurationProperties implements
BootstrapCloseable {
this.selfSigned = selfSigned;
}
+ public String getSelfSignedKeyType() {
+ return selfSignedKeyType;
+ }
+
+ /**
+ * The key algorithm to use when generating the self-signed certificate
for development use (requires selfSigned to
+ * be enabled). Supported values are EC (default, NIST P-256) and RSA
(2048-bit).
+ */
+ public void setSelfSignedKeyType(String selfSignedKeyType) {
+ this.selfSignedKeyType = selfSignedKeyType;
+ }
+
public String getKeyManagerAlgorithm() {
return keyManagerAlgorithm;
}
@@ -705,6 +719,15 @@ public class SSLConfigurationProperties implements
BootstrapCloseable {
return this;
}
+ /**
+ * The key algorithm to use when generating the self-signed certificate
for development use (requires selfSigned to
+ * be enabled). Supported values are EC (default, NIST P-256) and RSA
(2048-bit).
+ */
+ public SSLConfigurationProperties withSelfSignedKeyType(String
selfSignedKeyType) {
+ this.selfSignedKeyType = selfSignedKeyType;
+ return this;
+ }
+
/**
* Algorithm name used for creating the KeyManagerFactory.
* <p>
diff --git
a/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java
b/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java
index 457115c88b9c..4764b39bbe50 100644
---
a/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java
+++
b/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java
@@ -27,8 +27,10 @@ import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.security.spec.ECGenParameterSpec;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
+import java.util.Locale;
/**
* Generates a self-signed certificate for development use. This allows
enabling HTTPS with minimal configuration when
@@ -41,21 +43,51 @@ final class SelfSignedCertificateGenerator {
private SelfSignedCertificateGenerator() {
}
+ /**
+ * The default key algorithm used to generate the self-signed certificate.
+ */
+ static final String DEFAULT_KEY_TYPE = "EC";
+
/**
* Generates a PKCS12 KeyStore containing a self-signed certificate with
Subject Alternative Names for localhost and
- * 127.0.0.1.
+ * 127.0.0.1, using the default key algorithm ({@value #DEFAULT_KEY_TYPE}).
*
* @param password the password for the keystore and key entry
* @return a KeyStore containing the self-signed certificate
* @throws Exception if certificate generation fails
*/
static KeyStore generateKeyStore(String password) throws Exception {
+ return generateKeyStore(password, DEFAULT_KEY_TYPE);
+ }
+
+ /**
+ * Generates a PKCS12 KeyStore containing a self-signed certificate with
Subject Alternative Names for localhost and
+ * 127.0.0.1.
+ *
+ * @param password the password for the keystore and key entry
+ * @param keyType the key algorithm to use, either {@code EC} (default,
NIST P-256) or {@code RSA} (2048-bit)
+ * @return a KeyStore containing the self-signed certificate
+ * @throws Exception if certificate generation fails
+ */
+ static KeyStore generateKeyStore(String password, String keyType) throws
Exception {
+ String type = keyType == null || keyType.isBlank()
+ ? DEFAULT_KEY_TYPE : keyType.trim().toUpperCase(Locale.ROOT);
+
SecureRandom random = new SecureRandom();
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
- keyGen.initialize(2048, random);
+ KeyPairGenerator keyGen;
+ if ("EC".equals(type)) {
+ keyGen = KeyPairGenerator.getInstance("EC");
+ keyGen.initialize(new ECGenParameterSpec("secp256r1"), random);
+ } else if ("RSA".equals(type)) {
+ keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(2048, random);
+ } else {
+ throw new IllegalArgumentException(
+ "Unsupported self-signed certificate key type: " + keyType
+ " (supported: EC, RSA)");
+ }
KeyPair keyPair = keyGen.generateKeyPair();
- X509Certificate cert = generateCertificate(keyPair, random);
+ X509Certificate cert = generateCertificate(keyPair, type, random);
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(null, password.toCharArray());
@@ -65,7 +97,8 @@ final class SelfSignedCertificateGenerator {
return ks;
}
- private static X509Certificate generateCertificate(KeyPair keyPair,
SecureRandom random) throws Exception {
+ private static X509Certificate generateCertificate(KeyPair keyPair, String
keyType, SecureRandom random)
+ throws Exception {
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
@@ -73,39 +106,43 @@ final class SelfSignedCertificateGenerator {
ZonedDateTime expiry = now.plusDays(365);
// Build self-signed X.509 certificate using DER encoding
- byte[] encoded = buildSelfSignedCertificateDer(publicKey, privateKey,
now, expiry, random);
+ byte[] encoded = buildSelfSignedCertificateDer(publicKey, privateKey,
keyType, now, expiry, random);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
return (X509Certificate) cf.generateCertificate(new
ByteArrayInputStream(encoded));
}
private static byte[] buildSelfSignedCertificateDer(
- PublicKey publicKey, PrivateKey privateKey,
+ PublicKey publicKey, PrivateKey privateKey, String keyType,
ZonedDateTime notBefore, ZonedDateTime notAfter,
SecureRandom random)
throws Exception {
+ boolean ec = "EC".equals(keyType);
+ String signatureAlgorithmName = ec ? "SHA256withECDSA" :
"SHA256withRSA";
+ byte[] signatureAlgorithm = ec ? ecdsaWithSha256AlgorithmIdentifier()
: sha256WithRsaAlgorithmIdentifier();
+
// DN: CN=localhost, O=Apache Camel (self-signed)
byte[] issuerDn = buildDn();
// TBS Certificate
- byte[] tbsCertificate = buildTbsCertificate(publicKey, issuerDn,
notBefore, notAfter, random);
+ byte[] tbsCertificate
+ = buildTbsCertificate(publicKey, issuerDn, signatureAlgorithm,
notBefore, notAfter, random);
// Sign the TBS certificate
- Signature sig = Signature.getInstance("SHA256withRSA");
+ Signature sig = Signature.getInstance(signatureAlgorithmName);
sig.initSign(privateKey);
sig.update(tbsCertificate);
byte[] signature = sig.sign();
// Build the full certificate: SEQUENCE { tbsCertificate,
signatureAlgorithm, signature }
- byte[] signatureAlgorithm = sha256WithRsaAlgorithmIdentifier();
byte[] signatureBitString = wrapBitString(signature);
return wrapSequence(concat(tbsCertificate, signatureAlgorithm,
signatureBitString));
}
private static byte[] buildTbsCertificate(
- PublicKey publicKey, byte[] dn,
+ PublicKey publicKey, byte[] dn, byte[] signatureAlgorithm,
ZonedDateTime notBefore, ZonedDateTime notAfter,
SecureRandom random) {
@@ -118,9 +155,6 @@ final class SelfSignedCertificateGenerator {
serialBytes[0] &= 0x7F; // ensure positive
byte[] serial = wrapInteger(serialBytes);
- // Signature algorithm
- byte[] signatureAlgorithm = sha256WithRsaAlgorithmIdentifier();
-
// Validity
byte[] validity = wrapSequence(concat(encodeUtcTime(notBefore),
encodeUtcTime(notAfter)));
@@ -171,6 +205,13 @@ final class SelfSignedCertificateGenerator {
return wrapSequence(concat(oid, nullParam));
}
+ private static byte[] ecdsaWithSha256AlgorithmIdentifier() {
+ // OID 1.2.840.10045.4.3.2 (ecdsa-with-SHA256); per RFC 5758 the
parameters field is absent
+ byte[] oid = new byte[] {
+ 0x06, 0x08, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE, 0x3D, 0x04,
0x03, 0x02 };
+ return wrapSequence(oid);
+ }
+
private static byte[] encodeUtcTime(ZonedDateTime dateTime) {
// UTCTime format: YYMMDDHHmmSSZ
String utc = String.format("%02d%02d%02d%02d%02d%02dZ",
diff --git
a/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java
b/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java
index 9f0de001d989..8c80a3981f7f 100644
--- a/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java
+++ b/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java
@@ -461,6 +461,10 @@ public class MainSSLTest {
= (X509Certificate) ks.getCertificate("camel-self-signed");
assertNotNull(cert);
+ // the default key type is EC (NIST P-256) signed with SHA256withECDSA
+ Assertions.assertEquals("EC", cert.getPublicKey().getAlgorithm());
+ Assertions.assertEquals("SHA256withECDSA", cert.getSigAlgName());
+
// verify the certificate has a SAN extension with localhost
Collection<List<?>> sans = cert.getSubjectAlternativeNames();
assertNotNull(sans);
@@ -468,6 +472,26 @@ public class MainSSLTest {
Assertions.assertTrue(sans.size() >= 2);
}
+ @Test
+ public void testSelfSignedCertificateGeneratorRSA() throws Exception {
+ KeyStore ks =
SelfSignedCertificateGenerator.generateKeyStore("test-password", "RSA");
+ assertNotNull(ks);
+ Assertions.assertTrue(ks.containsAlias("camel-self-signed"));
+ assertNotNull(ks.getKey("camel-self-signed",
"test-password".toCharArray()));
+
+ X509Certificate cert
+ = (X509Certificate) ks.getCertificate("camel-self-signed");
+ assertNotNull(cert);
+
+ // RSA remains selectable, signed with SHA256withRSA
+ Assertions.assertEquals("RSA", cert.getPublicKey().getAlgorithm());
+ Assertions.assertEquals("SHA256withRSA", cert.getSigAlgName());
+
+ Collection<List<?>> sans = cert.getSubjectAlternativeNames();
+ assertNotNull(sans);
+ Assertions.assertTrue(sans.size() >= 2);
+ }
+
@Test
public void testMainSSLSignatureSchemesFilterFluent() {
Main main = new Main();
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
index 7e66b555bda4..0ac746609a93 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
@@ -132,6 +132,16 @@ Previously these nodes were flattened to the same level as
their parent `choice`
with the tree structure exposed by `getChildren()`. This affects level values
reported via JMX (`ManagedProcessor.getLevel()`)
and dev consoles for nodes inside Choice EIP branches.
+=== camel-main
+
+The development-only self-signed certificate generated when
`camel.ssl.selfSigned=true` (used to enable HTTPS without
+providing a keystore) now defaults to an *EC* key (NIST P-256, signed with
SHA256withECDSA) instead of *RSA-2048*.
+The key algorithm is configurable via the new `camel.ssl.selfSignedKeyType`
option, which accepts `EC` (default) or
+`RSA`. Set `camel.ssl.selfSignedKeyType=RSA` to retain the previous behaviour.
+
+This certificate is intended for development use only and is regenerated on
each restart, so the change does not affect
+production deployments, which must provide their own keystore via
`camel.ssl.keyStore`.
+
=== camel-jbang
Camel JBang has been rebranded as Camel CLI in the documentation.
