[jira] [Work started] (CAMEL-23736) camel-main: make the self-signed (dev) certificate key algorithm configurable, default to EC

Thu, 11 Jun 2026 03:00:10 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on CAMEL-23736 started by Andrea Cosentino.
------------------------------------------------
> camel-main: make the self-signed (dev) certificate key algorithm 
> configurable, default to EC
> --------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23736
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23736
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-main
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Minor
>
> h3. Background
> {{SelfSignedCertificateGenerator}} in {{camel-main}} (used by 
> {{BaseMainSupport}} when {{camel.ssl.selfSigned=true}} to enable zero-config 
> development HTTPS) currently hardcodes:
> * an *RSA-2048* key pair ({{KeyPairGenerator.getInstance("RSA")}}), and
> * a *SHA256withRSA* X.509 certificate signature (including the hand-rolled 
> DER {{AlgorithmIdentifier}}).
> h3. Proposal
> Expose the key algorithm via {{SSLConfigurationProperties}} (e.g. 
> {{camel.ssl.selfSignedKeyType}}) supporting:
> * *EC* -- new default, P-256 (secp256r1) with {{SHA256withECDSA}}
> * *RSA* -- 2048-bit with {{SHA256withRSA}}, retained for backward 
> compatibility
> {{SelfSignedCertificateGenerator}} selects the matching key-pair generator 
> and X.509 signature {{AlgorithmIdentifier}} accordingly.
> h3. Rationale
> EC P-256 is the modern default (smaller keys, faster handshakes) and making 
> the algorithm pluggable improves crypto-agility -- a stepping stone toward 
> PQC-capable certificate signing once the JDK exposes ML-DSA X.509 signing. 
> Note: this certificate is explicitly for development only ("NOT suitable for 
> production use"), so this is a hygiene/modernization change, not a 
> security-vulnerability fix.
> h3. Acceptance criteria
> * New configuration option on {{SSLConfigurationProperties}} (EC default, RSA 
> selectable)
> * {{SelfSignedCertificateGenerator}} supports both EC (ECDSA 
> {{AlgorithmIdentifier}}) and RSA paths
> * {{MainSSLTest}} covers both EC (default) and RSA
> * Generated camel-main configuration metadata regenerated
> Adjacent (not a duplicate): CAMEL-23250.
> _Identified during a PQC-readiness review of Apache Camel._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to