Skip to content

Fixed an issue where a disabled certificate in Azure Key Vault caused keystore initialization to fail with an HTTP 403 error#49730

Open
moarychan wants to merge 4 commits into
mainfrom
v-shilichen/fix-disabled-cert-caused-keystore-initialization-failure
Open

Fixed an issue where a disabled certificate in Azure Key Vault caused keystore initialization to fail with an HTTP 403 error#49730
moarychan wants to merge 4 commits into
mainfrom
v-shilichen/fix-disabled-cert-caused-keystore-initialization-failure

Conversation

@moarychan

@moarychan moarychan commented Jul 6, 2026

Copy link
Copy Markdown
Member

Fixes #49692

Description

Please add an informative description that covers that changes made by the pull request and link all relevant issues.

If an SDK is being regenerated based on a new swagger spec, a link to the pull request containing these swagger spec changes has been included above.

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

… keystore initialization to fail with an HTTP 403 error
@moarychan moarychan marked this pull request as ready for review July 7, 2026 01:58
@moarychan moarychan requested a review from a team as a code owner July 7, 2026 01:58
Copilot AI review requested due to automatic review settings July 7, 2026 01:58
@moarychan moarychan requested a review from a team as a code owner July 7, 2026 01:58
@rujche rujche added azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues. labels Jul 7, 2026
@rujche rujche moved this from Todo to In Progress in Spring Cloud Azure Jul 7, 2026
@rujche rujche added this to the 2026-08 milestone Jul 7, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Azure Key Vault JCA keystore initialization failures caused by disabled certificates in a vault by filtering out explicitly disabled certificates during alias discovery, preventing downstream 403s from aborting initialization.

Changes:

  • Add certificate “attributes.enabled” parsing support and an isEnabled() helper on CertificateItem.
  • Skip explicitly disabled certificates in KeyVaultClient#getAliases() and log a warning when skipping.
  • Add unit tests covering enabled/disabled/attributeless certificate-list responses, and record the fix in the changelog.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/KeyVaultClientTest.java Adds tests ensuring disabled certificates are filtered out of aliases (including raw REST-shaped JSON).
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/CertificateItemAttributes.java Introduces a REST-model for certificate list attributes (currently parses enabled).
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/CertificateItem.java Adds attributes support and a helper to treat absent attributes as enabled for compatibility.
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java Filters aliases to skip disabled certificates to avoid later 403s breaking initialization.
sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md Documents the bug fix in the unreleased section.

Comment thread sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

@moarychan moarychan enabled auto-merge (squash) July 7, 2026 03:00
@moarychan

Copy link
Copy Markdown
Member Author

Hi @g2vinay, this pr is pending for code owner approval, please help help review it. Thanks!

@moarychan moarychan requested a review from g2vinay July 7, 2026 05:02

@prithwishlaha1996 prithwishlaha1996 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this skip the cert load whose alias is not specified in the configuration ?

As I understand it, it should load only the certificate whose alias is specified in the configuration. However, if there are 10 enabled certificates in Key Vault, it appears to load all of them even when a specific alias is configured. Is it an expected behavior ?

spring:
ssl:
bundle:
keyvault:
apptls:
key:
alias: cert-name

@moarychan

Copy link
Copy Markdown
Member Author

@prithwishlaha1996 It will still load all certificates. Loading only specified certificates is a new requirement, and we need to further confirm whether to add it now.

@moarychan

Copy link
Copy Markdown
Member Author

@prithwishlaha1996 let's merge this bug first, I re-opened the feature request #39487

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues. KeyVault

Projects

Status: Untriaged
Status: In Progress

Development

Successfully merging this pull request may close these issues.

[BUG] A single disabled certificate in Key Vault breaks JCA KeyStore initialization for the entire vault, even for unrelated SSL bundles

4 participants