From e1a1d0e233926c8612d073d43bbcf96fdd77b17e Mon Sep 17 00:00:00 2001
From: Garvit Joshi <garvitjoshi9@gmail.com>
Date: Mon, 26 Jan 2026 15:22:20 +0530
Subject: [PATCH 1/2] Show certificates from truststore in SSL info endpoint

See gh-48967

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
---
 .../springframework/boot/info/SslInfo.java    |  19 ++++-
 .../boot/info/SslInfoTests.java               |  69 +++++++++++++++++-
 .../springframework/boot/info/keystore.jks    | Bin 0 -> 2604 bytes
 .../springframework/boot/info/truststore.jks  | Bin 0 -> 1837 bytes
 .../info/InfoEndpointDocumentationTests.java  |  38 +++++++++-
 5 files changed, 119 insertions(+), 7 deletions(-)
 create mode 100644 core/spring-boot/src/test/resources/org/springframework/boot/info/keystore.jks
 create mode 100644 core/spring-boot/src/test/resources/org/springframework/boot/info/truststore.jks

diff --git a/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java b/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
index 46da37d4e64..4c848b0d82e 100644
--- a/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
+++ b/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
@@ -104,9 +104,12 @@ public class SslInfo {
 
 		private final List<CertificateChainInfo> certificateChains;
 
+		private final List<CertificateChainInfo> trustStoreCertificates;
+
 		private BundleInfo(String name, SslBundle sslBundle) {
 			this.name = name;
 			this.certificateChains = extractCertificateChains(sslBundle.getStores().getKeyStore());
+			this.trustStoreCertificates = extractCertificateChains(sslBundle.getStores().getTrustStore());
 		}
 
 		private List<CertificateChainInfo> extractCertificateChains(@Nullable KeyStore keyStore) {
@@ -132,6 +135,10 @@ public class SslInfo {
 			return this.certificateChains;
 		}
 
+		public List<CertificateChainInfo> getTrustStoreCertificates() {
+			return this.trustStoreCertificates;
+		}
+
 	}
 
 	/**
@@ -150,9 +157,17 @@ public class SslInfo {
 
 		private List<CertificateInfo> extractCertificates(KeyStore keyStore, String alias) {
 			try {
+				// First try to get the certificate chain (works for PrivateKeyEntry)
 				Certificate[] certificates = keyStore.getCertificateChain(alias);
-				return (!ObjectUtils.isEmpty(certificates))
-						? Arrays.stream(certificates).map(CertificateInfo::new).toList() : Collections.emptyList();
+				if (!ObjectUtils.isEmpty(certificates)) {
+					return Arrays.stream(certificates).map(CertificateInfo::new).toList();
+				}
+				// Fall back to single certificate (works for trustedCertEntry)
+				Certificate certificate = keyStore.getCertificate(alias);
+				if (certificate != null) {
+					return List.of(new CertificateInfo(certificate));
+				}
+				return Collections.emptyList();
 			}
 			catch (KeyStoreException ex) {
 				return Collections.emptyList();
diff --git a/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java b/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
index d36f1f2ce27..4b5a35295b2 100644
--- a/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
+++ b/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
@@ -60,9 +60,9 @@ class SslInfoTests {
 		assertThat(bundle.getCertificateChains().get(1).getAlias()).isEqualTo("test-alias");
 		assertThat(bundle.getCertificateChains().get(1).getCertificates()).hasSize(1);
 		assertThat(bundle.getCertificateChains().get(2).getAlias()).isEqualTo("spring-boot-cert");
-		assertThat(bundle.getCertificateChains().get(2).getCertificates()).isEmpty();
+		assertThat(bundle.getCertificateChains().get(2).getCertificates()).hasSize(1);
 		assertThat(bundle.getCertificateChains().get(3).getAlias()).isEqualTo("test-alias-cert");
-		assertThat(bundle.getCertificateChains().get(3).getCertificates()).isEmpty();
+		assertThat(bundle.getCertificateChains().get(3).getCertificates()).hasSize(1);
 		CertificateInfo cert1 = bundle.getCertificateChains().get(0).getCertificates().get(0);
 		assertThat(cert1.getSubject()).isEqualTo("CN=localhost,OU=Spring,O=VMware,L=Palo Alto,ST=California,C=US");
 		assertThat(cert1.getIssuer()).isEqualTo(cert1.getSubject());
@@ -85,6 +85,7 @@ class SslInfoTests {
 		assertThat(cert2.getValidity()).isNotNull();
 		assertThat(cert2.getValidity().getStatus()).isSameAs(Status.VALID);
 		assertThat(cert2.getValidity().getMessage()).isNull();
+		assertThat(bundle.getTrustStoreCertificates()).isEmpty();
 	}
 
 	@Test
@@ -149,7 +150,7 @@ class SslInfoTests {
 			.flatMap((bundle) -> bundle.getCertificateChains().stream())
 			.flatMap((certificateChain) -> certificateChain.getCertificates().stream())
 			.toList();
-		assertThat(certs).hasSize(5);
+		assertThat(certs).hasSize(7);
 		assertThat(certs).allSatisfy((cert) -> {
 			assertThat(cert.getSubject()).isEqualTo("CN=localhost,OU=Spring,O=VMware,L=Palo Alto,ST=California,C=US");
 			assertThat(cert.getIssuer()).isEqualTo(cert.getSubject());
@@ -188,6 +189,68 @@ class SslInfoTests {
 		SslInfo sslInfo = new SslInfo(sslBundleRegistry, CLOCK);
 		assertThat(sslInfo.getBundles()).hasSize(1);
 		assertThat(sslInfo.getBundles().get(0).getCertificateChains()).isEmpty();
+		assertThat(sslInfo.getBundles().get(0).getTrustStoreCertificates()).isEmpty();
+	}
+
+	@Test
+	@WithPackageResources("test.p12")
+	void trustStoreCertificatesShouldProvideSslInfo() {
+		DefaultSslBundleRegistry sslBundleRegistry = new DefaultSslBundleRegistry();
+		JksSslStoreDetails trustStoreDetails = JksSslStoreDetails.forLocation("classpath:test.p12")
+			.withPassword("secret");
+		SslStoreBundle sslStoreBundle = new JksSslStoreBundle(null, trustStoreDetails);
+		sslBundleRegistry.registerBundle("test-trust", SslBundle.of(sslStoreBundle));
+		SslInfo sslInfo = new SslInfo(sslBundleRegistry, CLOCK);
+		assertThat(sslInfo.getBundles()).hasSize(1);
+		BundleInfo bundle = sslInfo.getBundles().get(0);
+		assertThat(bundle.getName()).isEqualTo("test-trust");
+		assertThat(bundle.getCertificateChains()).isEmpty();
+		assertThat(bundle.getTrustStoreCertificates()).hasSize(4);
+		assertThat(bundle.getTrustStoreCertificates().get(0).getAlias()).isEqualTo("spring-boot");
+		assertThat(bundle.getTrustStoreCertificates().get(1).getAlias()).isEqualTo("test-alias");
+	}
+
+	@Test
+	@WithPackageResources("test.p12")
+	void bothKeyStoreAndTrustStoreCertificatesShouldProvideSslInfo() {
+		DefaultSslBundleRegistry sslBundleRegistry = new DefaultSslBundleRegistry();
+		JksSslStoreDetails storeDetails = JksSslStoreDetails.forLocation("classpath:test.p12").withPassword("secret");
+		SslStoreBundle sslStoreBundle = new JksSslStoreBundle(storeDetails, storeDetails);
+		sslBundleRegistry.registerBundle("test-both", SslBundle.of(sslStoreBundle));
+		SslInfo sslInfo = new SslInfo(sslBundleRegistry, CLOCK);
+		assertThat(sslInfo.getBundles()).hasSize(1);
+		BundleInfo bundle = sslInfo.getBundles().get(0);
+		assertThat(bundle.getName()).isEqualTo("test-both");
+		assertThat(bundle.getCertificateChains()).hasSize(4);
+		assertThat(bundle.getTrustStoreCertificates()).hasSize(4);
+	}
+
+	@Test
+	@WithPackageResources({ "keystore.jks", "truststore.jks" })
+	void separateKeyStoreAndTrustStoreShouldProvideSslInfo() {
+		DefaultSslBundleRegistry sslBundleRegistry = new DefaultSslBundleRegistry();
+		JksSslStoreDetails keyStoreDetails = JksSslStoreDetails.forLocation("classpath:keystore.jks")
+			.withPassword("secret");
+		JksSslStoreDetails trustStoreDetails = JksSslStoreDetails.forLocation("classpath:truststore.jks")
+			.withPassword("secret");
+		SslStoreBundle sslStoreBundle = new JksSslStoreBundle(keyStoreDetails, trustStoreDetails);
+		sslBundleRegistry.registerBundle("test-separate", SslBundle.of(sslStoreBundle));
+		SslInfo sslInfo = new SslInfo(sslBundleRegistry, CLOCK);
+		assertThat(sslInfo.getBundles()).hasSize(1);
+		BundleInfo bundle = sslInfo.getBundles().get(0);
+		assertThat(bundle.getName()).isEqualTo("test-separate");
+		// Keystore has 2 PrivateKeyEntry entries
+		assertThat(bundle.getCertificateChains()).hasSize(2);
+		assertThat(bundle.getCertificateChains()).allSatisfy((chain) -> {
+			assertThat(chain.getCertificates()).hasSize(1);
+			assertThat(chain.getCertificates().get(0).getSubject()).startsWith("CN=localhost");
+		});
+		// Truststore has 3 trustedCertEntry entries
+		assertThat(bundle.getTrustStoreCertificates()).hasSize(3);
+		assertThat(bundle.getTrustStoreCertificates()).allSatisfy((chain) -> {
+			assertThat(chain.getCertificates()).hasSize(1);
+			assertThat(chain.getCertificates().get(0).getSubject()).startsWith("CN=localhost");
+		});
 	}
 
 	private SslInfo createSslInfo(String... locations) {
diff --git a/core/spring-boot/src/test/resources/org/springframework/boot/info/keystore.jks b/core/spring-boot/src/test/resources/org/springframework/boot/info/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..4e3e26f8195a6f7c40a7eaa0564fa136a1c6d7ee
GIT binary patch
literal 2604
zcmZ{lXH?VK7RB=q)dVE;A|RslV(6iS-lex7OsE3Vm0qMI2#AELA`wtPihxvUQY_Tq
zNOvNLfM8G{GW23-!}HC0kN4J^5BI~qYn^-U+V}qUIa)bd0f9i^zZU?4_yxMV`dtqU
z4v__cfP88$$0QJl1_Z}aAHW%CAriCzH6RXV1^{X-^)l(R(;MxghKdow-eB+-HaeTR
z06ItVVhqv5<^Iq`qZeqYOUWQ+H+{kDs%4J`#=hCtUVe2U%-3jI^-Ii;s7A}BVzZ|W
zSI^AxshJC8pMOlG&_@S1t7CIOnzD?2jP^141<2W8q3EP_&br=u<=&TR+w-ZR$LYBJ
zAA;wJf7;_w_wQ*2S2>DG=E?8}ad2qNq@>bafN_16r8LED-96sfI~oh=%FP(xhiu>Y
zUg0hgBKjO^ur%vA&*{~v47!%o-PAr6d01UOLg|NHRzrd2c^<3&<n@q?;u<~6ps|<G
z6zkP@%h8QwK<}PG97LL>Rh!*5QweH~CY@{L5cO9{gogT}TC6UJhO;Llyi0Y%7MNRQ
z))_WEMdO&+dmmm+>j`G~nZB)ci6MTUZ}U^B3_6c-n#J(SgJ&ZI2jgb`Z+BuNTYa>k
zLV}-cJQDq*gymYgl)47C2E!oB+W0&sViMQZ=<_@`XJe<;KA%Y8ELtO-+bpGApgNVZ
z5XpiGIf3F>7?YVez0!>J<Omu4PKf96T*JA&98c@qFSi)U#n;COE`i)@0Ztvq)rjo<
z)F^H{>Dl5$&z*RZ?}4DY3osX?FOJ?^%ee33Ik};H{<~1cRtwHPw9uY?{h9ck*f{#t
z_fsXAg2^w#jGi5YJE&ahedRIQmG@1kPazsnX+ZfA9=b26ecrg-s5h(MK$r2gB^K8H
zyAe-fi>-W7W1+Rer3U=Aw6&3h@t#;3VTWRcC`l{VF1V&OSww@0+9CUMo0~kXsyWM#
z#5X>|ti9|}j9IAtE*`m#x}#|A>;~hfaH$B3DAKq$=+#xr$@s49lVT35cC8j?ENI-`
zx?oJ}<ooOE&vrDH)cZRG;rI7)2SRcT1=yb6K$2H4l?LhFZ~(Y<6=3L&h~*UYU~LV4
z9LvP)QfgyDLRTt^*(9y7M_EFQ^<=s%4a+PBJwo&g%+tL{bE&DtCLdMRSTZBkHLh;B
z{M^F1tBK@#_0p=%7F_W%pI`bT?NxYQaTzT({CHZ&A=-J<csS#jshPmWnB+prPvRUW
z)(k@2EAS!#)Tkg=`o5A2i$u2a(1;Etj$Lo7XbCZSIU|(LXdpuyz3N8j>!$Vmu;~p9
z-SE_H)R|9KA{I0TVJbC48$~WEIxwBy?{Qxe;kEZ#Z9Cd6Soha5@56zcJ{tJi689Fh
z4NXF=mGttTFENMXJhm@D%cdVXr!(bohJ=kA*c;(DVoKgqSUA@u34)Tg(arQAr+dEv
z)NS5qbv@edi!C;kuli!W9>VXiC@ryg^8_Ur`)V?I#vc22Op1q|?Tny>w9~rvLh_x3
zh3s?C{V4^oD^n|h2_se63>n7j@W?gPS^%$wrdOsK8pm2oC9gM7eVIMv;gAfgjt$wm
z<z#{ESB=v-%ISzYw|hKTVlGv8{K$r(PS=KzH&3rTFr-sG`0}o7*8A>CrH4VkL!Sl*
znD#YWefDJEU{Si;ROwIGUUXD?Hy`Pg7UwUroSZG)?EcvKYtEa8JPt0#h+I)9g^we0
zJKA(qO!dlTR?g2(+6SJWQY2<?r>MAPZd+(H2OS?hjj?)c9hPu&QMGq;fKTedq4<*$
zs=5L3DybkuRMsSZd^9z<GKCny$~S7cT;nv^t;9^VwDDuDNuo;6dOH1F98T&a9{~`J
zy|e;c`6Mmd;8<`o91A=yqyhtAFxxFg!K_a3^~U&5xQX#+|4L1<6*wd98Sx~;q+Lb;
zfSv>>y9_IwnU>0ynu_66#=`kI8D$mWGO`F6xQv_}!r??Jos$1lh6MyqHvnirR9JxN
zB&Gof7z+TPw;i1CmKM014FQ9I%V-h6x~DCREIQn0mcr!^{)Ybcu8Cuas2R_bI6CX;
zVMZWTD-oWi^j;LW+NS63J8O1ll0gK6EEj<b(H6(qO}zckPr6>xZ8PU%Ls_IZh!)Nu
ziW%Qw@zxE%31UPiHo~nf%Tn0%m)=%B4?DVn<1OTTy@0WUw4x4D@*vL|Z1}xXhaws+
z=96=IBX;ni2*j%7<(r)$);%OHB?3!z#88<Y3FfNIYeC5HS&|o4&CY)q%R6m(f6`09
zx4FE#mCPrwt$$d0Y^&-jWgpghFwVB-X{=3O*0~TH`)Vg&c^h(1VXPON@d8?K<@UWa
z#Ih=w3IGA89Xfe}6NdnhNl5=7pB2iLx69MdV5hmNo&SSu?9cul6lVs}<Uz~VA1}ld
zNBojaayMC*HYi21J?Gbu+{yvU)NbSByC0=dd14RrO=v#MiSSLP*XU?vrWD0S?;mnk
z^+DT@2I|4-K4qpV3c{lGWywE_Z|UU1)Wz*#&nSC~2!)7N#RDfbAHJ-sIW9cHkI;!Y
zwT=-7*>dM}`4MF;Ox#Uhs4OG*KCOl0VAM`!LL0k1w7QGcsl`JC{6&vEBURn8>SD({
z)t2Q^+<<#7+OQNKJ}@D7P3t#b2W0I4r5hP+hfbn-P1G!j{v=Jtn+;1mTpqxoyNrrP
z=HEtn&@h`M@slyXKJuCW4EbL(9@cJqvONaJ4FBJV$Gj>Uiw#H+w))EEw;MFMO^zrR
zh;`u=`(w#5jfdazBBq9AF+rq|U^lGok~jV837?7H*lzj5PQjylzeQwuF=}ifhvcrz
z$oBSgB0@J4eCjFc?fil73WMxKp{UD>-G+f~$i50>Fq*VC8n~|UQgZC)uy2=SNa4Ff
zrYdLe%y?(xB%I3F6X`+IT!$RI0zq14Jfj#oC_f`gOjkU<?^i*#_|ri^wWT~q&L?ru
zw$G8Hh!$bjzKje(p`Y*I{)bvX;)D(nIA-W?XamfRG~vLaZ;pv%<mmJXv@o}7IE0q|
z1ll1aH5C}nCc^@U{hQeT8g?33xB~n%u)pL#R9%I$($f7p84Ud0f(oFc(gsnRs;P$z
zlbso}3!>5X8)wfNt)9U*gdKXi&LosY80NocLLc;aM5H<-fAt&5UU3tbjT08y4-eRE
zYu`vzoKcB7ePt>`5L^!|pbyS5y_mSI8<x(kv=GYz_OiYZuf_R>RG!>mayI<UYw!h7
zg{oJj0C)mEJ|0N?+Eu7oS`LY8R{JqLVN#Mg$xA-!%z`Y%2(HUKxe=eu%S&^O0*(Cm
E7a)dxOaK4?

literal 0
HcmV?d00001

diff --git a/core/spring-boot/src/test/resources/org/springframework/boot/info/truststore.jks b/core/spring-boot/src/test/resources/org/springframework/boot/info/truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..8e27d6e6790b2c8f1b0fc7879e29981b69ed54d5
GIT binary patch
literal 1837
zcmezO_TO6u1_mY|W(Lz-Ir+(nIT`uICB_U4jB{8dA9XXZM(CLuSOQh;GH7DjX3)eq
zZvitCBNLNI4X@I~y-XQf8gBL6xV!?WT0--!0WTY;R+~rLcV0$DZdL{ZQA1$^K{n=4
z7G@rV*+vF(;=D#?28Ko!h6aYl#uiaPt~nAHm$oKGC1eX2Ss9p{82K51ZsKBUVq|1E
zxJUfd%cqjtJQ&^c^kdZ-gOBW*_*&!qF~3fUT&8ES&rWR>J9o{YL8|rQ{j^lS6HnHf
zpIF>^R9PW%muqtNeZP*IJnD_M%he53*%sA@-8gvV_>+t!heIA_h5UNK;a;uQe@)Y?
zLnzZFuScm-<Ho1*;J{^_B5p4au3A&}ub@X}f%yKXjbU6n!vA#6=322SL@u-YT*a1v
zN9{9YD!$DuwXk@vqhGkUB>2b^3G)*|Yb(wzbA2L^XekqLqCe}UiJJAKIn(Q8?gmb|
znXZt%ZTaCHuVod!y8T`HKh!!=H==CEpUWa2(!88FmhF97SGVum9Luj<lT9xjW$NF|
zJ=eQsa<9cJYbIt!21eu%0!9HagcuooN{*kE4GK?`Ih2;;{%zap-Evoq>V6(S5-#3<
z&1dTN$8R=knqA0g_nGlo_~oZx3yqG*f3TIb%(G-kx_tTjb-nP}np53;Sg$-(m%Z7y
z&e?H7=fb+`-+v`nALHKr@8m|NzN}@wR;Fqi8<(~JTvX#cL%>ceLSV(OA1^FSD|VRu
ziL=R)oftVSK}u~_Y-^9ro(oY%%j5e@E?7D?))!`T8}Um1W($ZuTlH;K^DfZ{?zM-6
z<F==&Gd*y9eNT7op7#l1g12`~OkK38XN|_Dmks47Zy2XI#$-p?u0Q$fux)WzY#ZzT
zYYt1QZ|S|B>33dx`m2*Yv4=btUU+n{DwS2xr%mp4BRFyM!xOh|Nl|HW2{?rdx@*Hz
zIHNW&C8--Uo`WXvJbzCI1I8EG(|mL)FWv<vaDk+?23%|$zyyBImW7$gK*UhUKmd}u
zIpKyQCvF2%1LVXF=Hk#5X&}tT4mO#I5o!f9BRjJb1B<VXUCH^^@w}7fR>wws;^Xst
z&pC5b+26Fpd(F!#Jm#F?kNtBbwW2$!{c+BPNpF+1jOx`?f0yTd-nIKvtJyuPDr6@!
zdoUQdGAXz*P4iW5{pwQICu#n)PKYTzSh2xT{J@jt?VEh~$`9;kQe;?ZoxVze>4w4O
z%lX$HA6nqBbU9c3Hk&u+Z}=>ka8u^>KeY0~2ppOc`wZZrIa*$fmKQ^{yqF%cmd9`6
Tp(8$AZm;+!JmEOe_xK|Kwg%hN

literal 0
HcmV?d00001

diff --git a/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java b/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
index 0d11d51829b..db1e2a5c9ee 100644
--- a/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
+++ b/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
@@ -208,6 +208,40 @@ class InfoEndpointDocumentationTests extends MockMvcEndpointDocumentationTests {
 					.description("Certificate validity status.")
 					.type(JsonFieldType.STRING),
 				fieldWithPath("bundles[].certificateChains[].certificates[].signatureAlgorithmName")
+					.description("Signature algorithm name.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates").description("Certificate chains in the trust store.")
+					.type(JsonFieldType.ARRAY),
+				fieldWithPath("bundles[].trustStoreCertificates[].alias").description("Alias of the certificate chain.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates")
+					.description("Certificates in the chain.")
+					.type(JsonFieldType.ARRAY),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].subject")
+					.description("Subject of the certificate.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].version")
+					.description("Version of the certificate.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].issuer")
+					.description("Issuer of the certificate.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validityStarts")
+					.description("Certificate validity start date.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].serialNumber")
+					.description("Serial number of the certificate.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validityEnds")
+					.description("Certificate validity end date.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validity")
+					.description("Certificate validity information.")
+					.type(JsonFieldType.OBJECT),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validity.status")
+					.description("Certificate validity status.")
+					.type(JsonFieldType.STRING),
+				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].signatureAlgorithmName")
 					.description("Signature algorithm name.")
 					.type(JsonFieldType.STRING));
 	}
@@ -259,9 +293,9 @@ class InfoEndpointDocumentationTests extends MockMvcEndpointDocumentationTests {
 		@Bean
 		SslInfo sslInfo() {
 			DefaultSslBundleRegistry sslBundleRegistry = new DefaultSslBundleRegistry();
-			JksSslStoreDetails keyStoreDetails = JksSslStoreDetails.forLocation("classpath:test.p12")
+			JksSslStoreDetails storeDetails = JksSslStoreDetails.forLocation("classpath:test.p12")
 				.withPassword("secret");
-			SslStoreBundle sslStoreBundle = new JksSslStoreBundle(keyStoreDetails, null);
+			SslStoreBundle sslStoreBundle = new JksSslStoreBundle(storeDetails, storeDetails);
 			sslBundleRegistry.registerBundle("test-0", SslBundle.of(sslStoreBundle));
 			return new SslInfo(sslBundleRegistry);
 		}

From 27b9402df1b9104421a4aa0d52df0db73e6a166e Mon Sep 17 00:00:00 2001
From: Moritz Halbritter <moritz.halbritter@broadcom.com>
Date: Fri, 6 Feb 2026 12:04:31 +0100
Subject: [PATCH 2/2] Polish "Show certificates from truststore in SSL info
 endpoint"

See gh-48967
---
 .../springframework/boot/info/SslInfo.java    | 33 ++++++++++++-------
 .../boot/info/SslInfoTests.java               | 16 ++++-----
 .../info/InfoEndpointDocumentationTests.java  | 26 ++++++++-------
 3 files changed, 44 insertions(+), 31 deletions(-)

diff --git a/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java b/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
index 4c848b0d82e..b3be703613d 100644
--- a/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
+++ b/core/spring-boot/src/main/java/org/springframework/boot/info/SslInfo.java
@@ -104,12 +104,12 @@ public class SslInfo {
 
 		private final List<CertificateChainInfo> certificateChains;
 
-		private final List<CertificateChainInfo> trustStoreCertificates;
+		private final List<CertificateChainInfo> trustStoreCertificateChains;
 
 		private BundleInfo(String name, SslBundle sslBundle) {
 			this.name = name;
 			this.certificateChains = extractCertificateChains(sslBundle.getStores().getKeyStore());
-			this.trustStoreCertificates = extractCertificateChains(sslBundle.getStores().getTrustStore());
+			this.trustStoreCertificateChains = extractCertificateChains(sslBundle.getStores().getTrustStore());
 		}
 
 		private List<CertificateChainInfo> extractCertificateChains(@Nullable KeyStore keyStore) {
@@ -135,8 +135,8 @@ public class SslInfo {
 			return this.certificateChains;
 		}
 
-		public List<CertificateChainInfo> getTrustStoreCertificates() {
-			return this.trustStoreCertificates;
+		public List<CertificateChainInfo> getTrustStoreCertificateChains() {
+			return this.trustStoreCertificateChains;
 		}
 
 	}
@@ -157,15 +157,13 @@ public class SslInfo {
 
 		private List<CertificateInfo> extractCertificates(KeyStore keyStore, String alias) {
 			try {
-				// First try to get the certificate chain (works for PrivateKeyEntry)
-				Certificate[] certificates = keyStore.getCertificateChain(alias);
-				if (!ObjectUtils.isEmpty(certificates)) {
-					return Arrays.stream(certificates).map(CertificateInfo::new).toList();
+				List<CertificateInfo> certificates = readCertificateChain(keyStore, alias);
+				if (certificates != null) {
+					return certificates;
 				}
-				// Fall back to single certificate (works for trustedCertEntry)
-				Certificate certificate = keyStore.getCertificate(alias);
+				List<CertificateInfo> certificate = readCertificate(keyStore, alias);
 				if (certificate != null) {
-					return List.of(new CertificateInfo(certificate));
+					return certificate;
 				}
 				return Collections.emptyList();
 			}
@@ -174,6 +172,19 @@ public class SslInfo {
 			}
 		}
 
+		private @Nullable List<CertificateInfo> readCertificate(KeyStore keyStore, String alias)
+				throws KeyStoreException {
+			Certificate certificate = keyStore.getCertificate(alias);
+			return (certificate != null) ? List.of(new CertificateInfo(certificate)) : null;
+		}
+
+		private @Nullable List<CertificateInfo> readCertificateChain(KeyStore keyStore, String alias)
+				throws KeyStoreException {
+			Certificate[] certificates = keyStore.getCertificateChain(alias);
+			return ObjectUtils.isEmpty(certificates) ? null
+					: Arrays.stream(certificates).map(CertificateInfo::new).toList();
+		}
+
 		public String getAlias() {
 			return this.alias;
 		}
diff --git a/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java b/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
index 4b5a35295b2..57b9d3e38fb 100644
--- a/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
+++ b/core/spring-boot/src/test/java/org/springframework/boot/info/SslInfoTests.java
@@ -85,7 +85,7 @@ class SslInfoTests {
 		assertThat(cert2.getValidity()).isNotNull();
 		assertThat(cert2.getValidity().getStatus()).isSameAs(Status.VALID);
 		assertThat(cert2.getValidity().getMessage()).isNull();
-		assertThat(bundle.getTrustStoreCertificates()).isEmpty();
+		assertThat(bundle.getTrustStoreCertificateChains()).isEmpty();
 	}
 
 	@Test
@@ -189,7 +189,7 @@ class SslInfoTests {
 		SslInfo sslInfo = new SslInfo(sslBundleRegistry, CLOCK);
 		assertThat(sslInfo.getBundles()).hasSize(1);
 		assertThat(sslInfo.getBundles().get(0).getCertificateChains()).isEmpty();
-		assertThat(sslInfo.getBundles().get(0).getTrustStoreCertificates()).isEmpty();
+		assertThat(sslInfo.getBundles().get(0).getTrustStoreCertificateChains()).isEmpty();
 	}
 
 	@Test
@@ -205,9 +205,9 @@ class SslInfoTests {
 		BundleInfo bundle = sslInfo.getBundles().get(0);
 		assertThat(bundle.getName()).isEqualTo("test-trust");
 		assertThat(bundle.getCertificateChains()).isEmpty();
-		assertThat(bundle.getTrustStoreCertificates()).hasSize(4);
-		assertThat(bundle.getTrustStoreCertificates().get(0).getAlias()).isEqualTo("spring-boot");
-		assertThat(bundle.getTrustStoreCertificates().get(1).getAlias()).isEqualTo("test-alias");
+		assertThat(bundle.getTrustStoreCertificateChains()).hasSize(4);
+		assertThat(bundle.getTrustStoreCertificateChains().get(0).getAlias()).isEqualTo("spring-boot");
+		assertThat(bundle.getTrustStoreCertificateChains().get(1).getAlias()).isEqualTo("test-alias");
 	}
 
 	@Test
@@ -222,7 +222,7 @@ class SslInfoTests {
 		BundleInfo bundle = sslInfo.getBundles().get(0);
 		assertThat(bundle.getName()).isEqualTo("test-both");
 		assertThat(bundle.getCertificateChains()).hasSize(4);
-		assertThat(bundle.getTrustStoreCertificates()).hasSize(4);
+		assertThat(bundle.getTrustStoreCertificateChains()).hasSize(4);
 	}
 
 	@Test
@@ -246,8 +246,8 @@ class SslInfoTests {
 			assertThat(chain.getCertificates().get(0).getSubject()).startsWith("CN=localhost");
 		});
 		// Truststore has 3 trustedCertEntry entries
-		assertThat(bundle.getTrustStoreCertificates()).hasSize(3);
-		assertThat(bundle.getTrustStoreCertificates()).allSatisfy((chain) -> {
+		assertThat(bundle.getTrustStoreCertificateChains()).hasSize(3);
+		assertThat(bundle.getTrustStoreCertificateChains()).allSatisfy((chain) -> {
 			assertThat(chain.getCertificates()).hasSize(1);
 			assertThat(chain.getCertificates().get(0).getSubject()).startsWith("CN=localhost");
 		});
diff --git a/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java b/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
index db1e2a5c9ee..41ee62ec7eb 100644
--- a/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
+++ b/documentation/spring-boot-actuator-docs/src/test/java/org/springframework/boot/actuate/docs/info/InfoEndpointDocumentationTests.java
@@ -210,38 +210,40 @@ class InfoEndpointDocumentationTests extends MockMvcEndpointDocumentationTests {
 				fieldWithPath("bundles[].certificateChains[].certificates[].signatureAlgorithmName")
 					.description("Signature algorithm name.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates").description("Certificate chains in the trust store.")
+				fieldWithPath("bundles[].trustStoreCertificateChains")
+					.description("Certificate chains in the trust store.")
 					.type(JsonFieldType.ARRAY),
-				fieldWithPath("bundles[].trustStoreCertificates[].alias").description("Alias of the certificate chain.")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].alias")
+					.description("Alias of the certificate chain.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates")
 					.description("Certificates in the chain.")
 					.type(JsonFieldType.ARRAY),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].subject")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].subject")
 					.description("Subject of the certificate.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].version")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].version")
 					.description("Version of the certificate.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].issuer")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].issuer")
 					.description("Issuer of the certificate.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validityStarts")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].validityStarts")
 					.description("Certificate validity start date.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].serialNumber")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].serialNumber")
 					.description("Serial number of the certificate.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validityEnds")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].validityEnds")
 					.description("Certificate validity end date.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validity")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].validity")
 					.description("Certificate validity information.")
 					.type(JsonFieldType.OBJECT),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].validity.status")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].validity.status")
 					.description("Certificate validity status.")
 					.type(JsonFieldType.STRING),
-				fieldWithPath("bundles[].trustStoreCertificates[].certificates[].signatureAlgorithmName")
+				fieldWithPath("bundles[].trustStoreCertificateChains[].certificates[].signatureAlgorithmName")
 					.description("Signature algorithm name.")
 					.type(JsonFieldType.STRING));
 	}