TLS/SSL for Java Developers: A Practical Guide with Quarkus

Because “it just works” isn’t a security strategy.

Apr 28, 2025

In a world of APIs, cloud deployments, and microservices talking to each other across the internet, understanding TLS (Transport Layer Security) is essential. Yet many Java developers treat it as dark magic, until the app breaks in staging, a production outage happens, or a compliance checklist shows up on your desk.

This guide cuts through the noise. I’ll demystify TLS and SSL, show you how Java handles secure communication, and walk through hands-on examples using Quarkus to secure your applications, clients, and service-to-service communication.

This isn't theory. This is the knowledge you’ll actually use.

What Is TLS, and Why Should You Care?

Every time you hit https://, you’re invoking TLS. It protects communication over the internet by encrypting the transport channel between two systems. TLS provides:

Confidentiality: So nobody can read your data.
Integrity: So nobody can tamper with it.
Authentication: So you know who you’re talking to.

That applies whether you're calling an external API, securing a REST endpoint, or deploying a containerized app behind a load balancer.

Wait, Is It TLS or SSL?

Let’s get this straight:

SSL (Secure Sockets Layer) is deprecated and insecure.
TLS (Transport Layer Security) is its successor and what we use today.
TLS 1.2 is the minimum standard.
TLS 1.3 is the current best practice (and Java 11+ supports it out of the box).

We still hear “SSL” colloquially, but it’s TLS under the hood.

TLS in Java: Under the Hood

Java uses the following building blocks to handle TLS:

KeyStore: Stores your private keys and certificates. Used by servers to prove their identity.
TrustStore: Stores certificates you trust. Used by clients to validate the server.
JSSE (Java Secure Socket Extension): The subsystem that implements TLS/SSL.

Java ships with a default truststore (cacerts) that contains the root certificates of trusted Certificate Authorities (CAs). You can also load your own truststore if you're using internal certificates or self-signed ones.

If you are on RHEL-like OS-es (Fedora, CentOS, ...) and you installed Java from the official RPM, then the cacerts file is provided by (and synchronized with) the system wide trust store:

$ ls -l /usr/lib/jvm/java/lib/security/cacerts
lrwxrwxrwx. 1 root root 21 May  1  2024 /usr/lib/jvm/java/lib/security/cacerts -> /etc/pki/java/cacerts

Quarkus Makes TLS Easier

If you’ve dealt with TLS configuration in raw Java (Servlets, Tomcat, etc.), you know it can be verbose. Quarkus trims the fat and makes TLS configuration approachable, even enjoyable.

I’ll walk you through several real-world examples:

Serving a TLS-secured REST endpoint.
Creating a TLS client.
Enabling mutual TLS (mTLS).
Hardening TLS settings for production.

Let’s get hands-on.

Example 1: Serving a Secure REST Endpoint

Imagine you’re building a REST API that serves customer data. You want it to run over HTTPS.

Step 1: Generate a Self-Signed Certificate

For local dev, use the JDK’s keytool to generate a keystore with a self-signed certificate:

keytool -genkeypair \
  -alias quarkus-cert \
  -keyalg RSA \
  -keysize 2048 \
  -storetype PKCS12 \
  -keystore server-keystore.p12 \
  -validity 3650 \
  -storepass password \
  -keypass password \
  -dname "CN=localhost, OU=Dev, O=Example, L=City, S=State, C=US"

Step 2: Configure Quarkus

In src/main/resources/application.properties:

quarkus.http.ssl-port=8443
quarkus.http.insecure-requests=redirect

quarkus.http.ssl.certificate.key-store-file=server-keystore.p12
quarkus.http.ssl.certificate.key-store-password=password
quarkus.http.ssl.certificate.key-store-type=PKCS12

Note: Storing clear text passwords in a configuration file is only a good idea for testing and local development. Make sure to externalise them appropriately.

Step 3: Create the Endpoint

@Path("/hello")
public class HelloResource {
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello() {
        return "Hello, secure world!";
    }
}

Step 4: Test It

Start Quarkus:

./mvnw quarkus:dev

Curl the endpoint (ignore the self-signed cert warning with -k):

curl -k https://localhost:8443/hello

You should see:

Hello, secure world!

Done. Your first HTTPS-enabled Quarkus service is live.

Example 2: Secure REST Client with TrustStore

Now let’s build a Quarkus client that talks to that secure server.

Step 1: Export the Server Certificate

keytool -export -alias quarkus-cert \
  -keystore server-keystore.p12 \
  -storepass password \
  -file server.crt

Create a client truststore:

keytool -import -alias quarkus-cert \
  -file server.crt \
  -keystore client-truststore.p12 \
  -storetype PKCS12 \
  -storepass password \
  -noprompt

Step 2: Configure the Client

In the client app's application.properties:

quarkus.rest-client.secure-api.url=https://localhost:8443

quarkus.ssl.trust-store-file=client-truststore.p12
quarkus.ssl.trust-store-password=password
quarkus.ssl.trust-store-type=PKCS12

Step 3: Define the Interface

@Path("/hello")
@RegisterRestClient(configKey = "secure-api")
public interface SecureApi {
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    String hello();
}

Step 4: Use the Client

@Path("/call")
public class CallerResource {

    @Inject
    @RestClient
    SecureApi api;

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String call() {
        return api.hello();
    }
}

Start your client app and hit /call—you’ll see the server’s secure response.

Example 3: Enable Mutual TLS (mTLS)

Mutual TLS is when both the client and server authenticate each other using certificates. Common in microservices and regulated industries.

Step 1: Generate a Client Certificate

keytool -genkeypair \
  -alias client-cert \
  -keyalg RSA \
  -keysize 2048 \
  -keystore client-keystore.p12 \
  -storetype PKCS12 \
  -storepass password \
  -dname "CN=client, OU=Dev, O=ClientOrg, L=City, S=State, C=US"

Export the client cert and import it into the server’s truststore:

keytool -export -alias client-cert \
  -keystore client-keystore.p12 \
  -storepass password \
  -file client.crt

keytool -import -alias client-cert \
  -file client.crt \
  -keystore server-truststore.p12 \
  -storepass password \
  -noprompt

Step 2: Configure Server for mTLS

quarkus.http.ssl.client-auth=required
quarkus.http.ssl.trust-store-file=server-truststore.p12
quarkus.http.ssl.trust-store-password=password
quarkus.http.ssl.trust-store-type=PKCS12

Step 3: Configure the Client for mTLS

quarkus.ssl.certificate.key-store-file=client-keystore.p12
quarkus.ssl.certificate.key-store-password=password
quarkus.ssl.certificate.key-store-type=PKCS12

Now both sides verify identity with certificates.

1. Use Trusted CAs

Never use self-signed certs in production. Use Let’s Encrypt or an enterprise CA.

2. Automate Certificate Rotation

Use cert-manager on Kubernetes or tools like acme.sh to automate cert renewal.

3. Enable TLS 1.3

Java 11+ supports it. Enable it explicitly:

quarkus.http.ssl.protocols=TLSv1.3

4. Avoid Weak Ciphers

Set this JVM option:

-Djdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048

5. Store Passwords Securely

Avoid hardcoding. Use environment variables or the Quarkus Vault extension.

6. Redirect All HTTP to HTTPS

quarkus.http.insecure-requests=redirect

7. Test TLS Endpoints

Use SSL Labs or:

openssl s_client -connect localhost:8443

8. Use mTLS for Internal Services

Great for securing service-to-service communication inside a mesh or private network.

9. Check Native Compatibility

If you build native images with GraalVM, test certificate support early. Some algorithms and keystore types may need extra reflection config.

Absolutely! Here's a new section you can insert after the "Further Reading" section or just before it if you want to keep the flow of technical deep dives intact:

Dig Deeper: TLS Configuration Reference in Quarkus

As your applications mature and your environments grow more complex, you'll likely need to fine-tune your TLS setup beyond basic certificate paths and passwords. This is where the official Quarkus TLS Registry Reference becomes invaluable.

The TLS registry in Quarkus provides a centralized way to define and reuse multiple TLS configurations within a single application. This is especially useful if:

You need different trust or key stores for different REST clients.
You're building multi-tenant systems with per-tenant certificates.
You want to avoid duplication and centralize your SSL setup.

Note: Most of Quarkus extesions that use Quarkus TLS Registry under the hood do not honor $JAVA_HOME/lib/security/cacerts by default. There is a built-in named TLS config javax.net.ssl to do just that. Here an example for for a gRPC client:

quarkus.grpc.clients.hello.tls-configuration-name=javax.net.ssl

How It Works

You define named TLS configurations under the quarkus.tls namespace in application.properties:

quarkus.tls.my-custom-tls.trust-store-file=client-truststore.p12
quarkus.tls.my-custom-tls.trust-store-password=password
quarkus.tls.my-custom-tls.trust-store-type=PKCS12

Then, you reference it in a REST client or other component:

quarkus.rest-client.secure-api.tls=my-custom-tls

This approach is cleaner, DRY, and makes managing multiple TLS contexts far more manageable.

Bonus: Built-in Integration Points

You can use the TLS registry not just with REST clients, but also with:

Kafka clients
Hibernate reactive connections
Vert.x HTTP clients
Any extension that supports named TLS configurations

This means one centralized config can propagate across your entire stack without scattering cert paths or passwords throughout your app.

TLS is not just a checkbox on a security audit

It’s a foundational skill for every modern Java developer. Whether you’re building APIs, integrating services, or deploying to cloud-native platforms, knowing how TLS works, and how to configure it properly, is what separates resilient apps from risky ones.

With Quarkus, it’s not only possible, it’s easy.

If this helped, subscribe for more Java, Quarkus, and practical cloud-native development guides.