I have a standard Spring-Boot 3 app that has configured an embedded webserver (standard Tomcat) with TLS.

pom.xml

    ...
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    ...
    

application.properties

    server.port = 8443
    server.ssl.enabled = true
    server.ssl.key-store-type = PKCS12
    server.ssl.key-store = testks/keystore.p12
    server.ssl.key-store-password = secret
    

All is fine that way. The certificate is selfsigned – but thats not the problem I think.
My webserver is listening on port 8443 and handles requests – as expected after I start my app.

So far – so good.

Now I also have to be a TLS weblicnet to query a web-server that has very special TLS-settings – because of reasons I can not change.
Fo doing that I have to use BouncyCastle. The code for that I put into a component that is initiated at the start.

    Security.setProperty ("ssl.KeyManagerFactory.algorithm", "PKIX");
    Security.removeProvider (BouncyCastleProvider.PROVIDER_NAME);
    Security.insertProviderAt (new BouncyCastleProvider (), 1);
    Security.removeProvider (BouncyCastleJsseProvider.PROVIDER_NAME);
    Security.insertProviderAt (new BouncyCastleJsseProvider (), 2);
    // create SSL-context
    // create HTTPS-client with that SSL-context
    // request HTTPS-server
    

Thats is working well too – but the app is only starting now if I disable TLS for the embedded webserver.

org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
Caused by: java.lang.IllegalArgumentException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

I think my Security-Provider settings for being a HTTPS-clients destroys the internal TLS-framework for being a HTTPS-server.

If I remove the 5 Security.* lines my HTTPS-client is not working anymore – but the embedded HTTPS-server is working again.

Is there a way I can make both work??