@@ -20,6 +20,7 @@ endpoints declared in an OpenAPI 3.1.x specification. Handlers are pure function
2020- [ JSON mapping] ( #json-mapping )
2121- [ Body parsers and response writers] ( #body-parsers-and-response-writers )
2222- [ Server configuration] ( #server-configuration )
23+ - [ HTTPS] ( #https )
2324- [ Interceptors and response decorators] ( #interceptors-and-response-decorators )
2425- [ After-response hooks] ( #after-response-hooks )
2526- [ Security] ( #security )
@@ -326,6 +327,64 @@ OpenApiServer.builder()
326327 .build();
327328```
328329
330+ ### HTTPS
331+
332+ Point the builder at a PEM certificate chain and a PEM PKCS #8 private key:
333+
334+ ``` java
335+ import java.nio.file.Path ;
336+
337+ var server = OpenApiServer . builder()
338+ .spec(spec)
339+ .handlers(handlers)
340+ .https(
341+ Path . of(" /etc/letsencrypt/live/example.com/fullchain.pem" ),
342+ Path . of(" /etc/letsencrypt/live/example.com/privkey.pem" ))
343+ .build();
344+ ```
345+
346+ certbot / Let's Encrypt write exactly these two files to
347+ ` /etc/letsencrypt/live/<domain>/ ` : ` fullchain.pem ` (your certificate + the
348+ issuing intermediates, concatenated PEM) and ` privkey.pem ` (unencrypted PKCS #8 ).
349+ No conversion to PKCS12 / JKS is needed; the library parses the PEM directly
350+ using JDK APIs only.
351+
352+ Both RSA and EC (P-256) private keys are accepted; the algorithm is detected
353+ automatically.
354+
355+ When ` .https(...) ` is set, the default port changes from ` 8080 ` to ` 8443 ` .
356+ ` port(int) ` still overrides explicitly:
357+
358+ ``` java
359+ OpenApiServer . builder()
360+ .spec(spec)
361+ .handlers(handlers)
362+ .https(certChain, privateKey)
363+ .port(443 ) // overrides the 8443 default
364+ .build();
365+ ```
366+
367+ For local development without a real certificate, generate a self-signed pair
368+ with one openssl command:
369+
370+ ``` bash
371+ openssl req -x509 -newkey rsa:2048 -nodes -days 365 \
372+ -keyout privkey.pem -out fullchain.pem \
373+ -subj " /CN=localhost" \
374+ -addext " subjectAltName=DNS:localhost,IP:127.0.0.1"
375+ ```
376+
377+ Clients (browsers, ` curl ` , ` HttpClient ` ) need to trust the resulting certificate
378+ explicitly — it isn't signed by a public CA.
379+
380+ ** Not in this release** (each can land later without breaking the API):
381+
382+ - Encrypted / password-protected private keys
383+ - PKCS12 / JKS keystore inputs
384+ - Certificate hot-reload on renewal (restart the process after ` certbot renew ` )
385+ - TLS protocol / cipher overrides (JDK defaults apply: TLS 1.2 and 1.3)
386+ - Serving HTTP and HTTPS from one ` OpenApiServer ` instance
387+
329388### Graceful shutdown
330389
331390` OpenApiServer ` exposes ` stop(int delaySeconds) ` for explicit shutdown that waits up to the given
0 commit comments