TLS: Introduce key-store-key-password

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java

@@ -81,6 +81,12 @@ public class CertificateConfig {
     @ConfigItem
     public Optional<String> keyStoreKeyAlias;
 
+    /**
+     * An optional parameter to define the password for the key, in case it's different from {@link #keyStorePassword}.
+     */
+    @ConfigItem
+    public Optional<String> keyStoreKeyPassword;
+
     /**
      * An optional trust store which holds the certificate information of the certificates to trust.
      */

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java

@@ -622,7 +622,8 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC
                     keystorePassword,
                     sslConfig.certificate.keyStoreFileType,
                     sslConfig.certificate.keyStoreProvider,
-                    sslConfig.certificate.keyStoreKeyAlias);
+                    sslConfig.certificate.keyStoreKeyAlias,
+                    sslConfig.certificate.keyStoreKeyPassword);
             serverOptions.setKeyCertOptions(options);
         } else {
             return null;
@@ -637,7 +638,8 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC
                     trustStorePassword.get(),
                     sslConfig.certificate.trustStoreFileType,
                     sslConfig.certificate.trustStoreProvider,
-                    sslConfig.certificate.trustStoreCertAlias);
+                    sslConfig.certificate.trustStoreCertAlias,
+                    Optional.empty());
             serverOptions.setTrustOptions(options);
         }
 
@@ -664,22 +666,23 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC
         return serverOptions;
     }
 
-    private static KeyStoreOptions createKeyStoreOptions(Path keyStorePath, String password, Optional<String> keyStoreFileType,
-            Optional<String> keyStoreProvider, Optional<String> keyStoreAlias) throws IOException {
+    private static KeyStoreOptions createKeyStoreOptions(Path path, String password, Optional<String> fileType,
+            Optional<String> provider, Optional<String> alias, Optional<String> aliasPassword) throws IOException {
         final String type;
-        if (keyStoreFileType.isPresent()) {
-            type = keyStoreFileType.get().toLowerCase();
+        if (fileType.isPresent()) {
+            type = fileType.get().toLowerCase();
         } else {
-            type = findKeystoreFileType(keyStorePath);
+            type = findKeystoreFileType(path);
         }
 
-        byte[] data = getFileContent(keyStorePath);
+        byte[] data = getFileContent(path);
         KeyStoreOptions options = new KeyStoreOptions()
                 .setPassword(password)
                 .setValue(Buffer.buffer(data))
                 .setType(type.toUpperCase())
-                .setProvider(keyStoreProvider.orElse(null))
-                .setAlias(keyStoreAlias.orElse(null));
+                .setProvider(provider.orElse(null))
+                .setAlias(alias.orElse(null))
+                .setAliasPassword(aliasPassword.orElse(null));
         return options;
     }
 

integration-tests/vertx-http/src/main/resources/application.properties

@@ -2,6 +2,7 @@ vertx.event-loops.size=2
 quarkus.http.ssl.certificate.key-store-file=server-keystore.jks
 quarkus.http.ssl.certificate.key-store-password=password
 quarkus.http.ssl.certificate.key-store-key-alias=server
+quarkus.http.ssl.certificate.key-store-key-password=serverpw
 quarkus.http.ssl.certificate.trust-store-file=server-truststore.jks
 quarkus.http.ssl.certificate.trust-store-password=password
 quarkus.http.ssl.certificate.trust-store-cert-alias=mykey-1