From 5d8e79710fa0c85f1a0340c21ae8f4c012b0f80c Mon Sep 17 00:00:00 2001
From: vishesh92 <vishesh92@gmail.com>
Date: Tue, 28 Apr 2026 14:39:52 +0530
Subject: [PATCH] Address comments

---
 .../java/org/apache/cloudstack/ca/CAManager.java    |  4 ++--
 .../cloudstack/ca/provider/RootCAProvider.java      |  6 +++---
 .../org/apache/cloudstack/ca/CAManagerImpl.java     | 10 +++++++---
 .../apache/cloudstack/utils/security/CertUtils.java | 13 +++++++------
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/ca/CAManager.java b/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
index 6f63a857591..d2ebdc25f1b 100644
--- a/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
+++ b/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
@@ -44,7 +44,7 @@ public interface CAManager extends CAService, Configurable, PluggableService {
             "The CA provider plugin used for CloudStack internal certificate management (MS-agent encryption and authentication). " +
             "The default 'root' provider auto-generates a CA on first startup, but also supports user-provided custom CA material " +
             "via the ca.plugin.root.private.key, ca.plugin.root.public.key, and ca.plugin.root.ca.certificate settings. " +
-            "Restart management server(s) when changed.", true);
+            "Restart management server(s) when changed.", false);
 
     ConfigKey<Integer> CertKeySize = new ConfigKey<>("Advanced", Integer.class,
                                     "ca.framework.cert.keysize",
@@ -94,7 +94,7 @@ public interface CAManager extends CAService, Configurable, PluggableService {
             "ca.framework.inject.default.truststore", "true",
             "When true, injects the CA provider's certificate into the JVM default truststore on management server startup. " +
             "This allows outgoing HTTPS connections from the management server to trust servers with certificates signed by the configured CA. " +
-            "Restart management server(s) when changed.", true);
+            "Restart management server(s) when changed.", false);
 
     /**
      * Returns a list of available CA provider plugins
diff --git a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
index 78e43d19507..32c601386ac 100644
--- a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
+++ b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
@@ -108,20 +108,20 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
             null,
             "The ROOT CA private key in PEM format. " +
             "When set along with the public key and certificate, CloudStack uses this custom CA instead of auto-generating one. " +
-            "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.", true);
+            "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCAPublicKey = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.public.key",
             null,
             "The ROOT CA public key in PEM format (X.509/SPKI: must start with '-----BEGIN PUBLIC KEY-----'). " +
-            "Required when providing a custom CA. Restart management server(s) when changed.", true);
+            "Required when providing a custom CA. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCACertificate = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.ca.certificate",
             null,
             "The CA certificate(s) in PEM format (must start with '-----BEGIN CERTIFICATE-----'). " +
             "For intermediate CAs, concatenate the signing cert first, followed by intermediate(s) and root. " +
-            "Required when providing a custom CA. Restart management server(s) when changed.", true);
+            "Required when providing a custom CA. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCAIssuerDN = new ConfigKey<>("Advanced", String.class,
             "ca.plugin.root.issuer.dn",
diff --git a/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java b/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
index 9cf025b4b45..73ff79301fb 100644
--- a/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
@@ -41,6 +41,7 @@ import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
@@ -578,10 +579,13 @@ public class CAManagerImpl extends ManagerBase implements CAManager {
             // Copy existing default trusted certs
             final TrustManagerFactory defaultTmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             defaultTmf.init((KeyStore) null);
-            final X509TrustManager defaultTm = (X509TrustManager) defaultTmf.getTrustManagers()[0];
             int aliasIndex = 0;
-            for (final X509Certificate cert : defaultTm.getAcceptedIssuers()) {
-                trustStore.setCertificateEntry("default-ca-" + aliasIndex++, cert);
+            for (final TrustManager tm : defaultTmf.getTrustManagers()) {
+                if (tm instanceof X509TrustManager) {
+                    for (final X509Certificate cert : ((X509TrustManager) tm).getAcceptedIssuers()) {
+                        trustStore.setCertificateEntry("default-ca-" + aliasIndex++, cert);
+                    }
+                }
             }
 
             // Add CA provider's certificates
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
index 7b4d3738ac5..84a4a127440 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
@@ -100,12 +100,13 @@ public class CertUtils {
 
     public static List<X509Certificate> pemToX509Certificates(final String pem) throws CertificateException, IOException {
         final List<X509Certificate> certs = new ArrayList<>();
-        final PEMParser pemParser = new PEMParser(new StringReader(pem));
-        final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
-        Object parsedObj;
-        while ((parsedObj = pemParser.readObject()) != null) {
-            if (parsedObj instanceof X509CertificateHolder) {
-                certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+        try (final PEMParser pemParser = new PEMParser(new StringReader(pem))) {
+            final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
+            Object parsedObj;
+            while ((parsedObj = pemParser.readObject()) != null) {
+                if (parsedObj instanceof X509CertificateHolder) {
+                    certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+                }
             }
         }
         return certs;