Q19 of 40 · REST Assured

How do you handle SSL/TLS issues (self-signed certs) in REST Assured for testing?

REST AssuredMidrest-assuredssltlscertificatesecurity

Short answer

Short answer: .relaxedHTTPSValidation() in given() (or on RequestSpecBuilder) disables SSL certificate verification — use it for self-signed certs in test environments. For mutual TLS (client cert), use .keyStore(path, password). Never use relaxedHTTPSValidation() against production endpoints.

Detail

Self-signed certificates fail REST Assured's default SSL validation because the cert isn't in Java's trust store. Two approaches:

Option 1 — disable validation (dev/test only):

given().relaxedHTTPSValidation()
// or globally:
RestAssured.useRelaxedHTTPSValidation();

This tells the underlying TrustManager to accept any certificate. Fast, but masks real TLS misconfiguration.

Option 2 — trust a specific CA (better): Add the test CA's certificate to a custom trust store and configure REST Assured to use it:

given()
    .trustStore("src/test/resources/test-ca.jks", "changeit")

Mutual TLS (client sends its own certificate):

given()
    .keyStore("src/test/resources/client.p12", "password")
    .trustStore("src/test/resources/server-ca.jks", "changeit")

Best practice for CI: provision a self-signed cert via a tool like mkcert and import it into a test trust store. Avoid useRelaxedHTTPSValidation() globally — it silently disables security checks for all tests including those that should validate prod-like endpoints.

// EXAMPLE

// Quick fix for local dev (self-signed cert only)
given()
    .relaxedHTTPSValidation()
    .baseUri("https://localhost:8443")
.when()
    .get("/health")
.then()
    .statusCode(200);

// Better: trust a specific test CA
@BeforeAll
static void buildSpecs() {
    reqSpec = new RequestSpecBuilder()
        .setBaseUri("https://api.test.internal")
        .setTrustStore("src/test/resources/test-ca.jks", "changeit")
        .addHeader("Authorization", "Bearer " + getToken())
        .build();
}

// Mutual TLS — client certificate required
given()
    .keyStore("src/test/resources/client-cert.p12", "p12password")
    .trustStore("src/test/resources/server-ca.jks", "changeit")
.when()
    .get("/secure/api")
.then()
    .statusCode(200);

// WHAT INTERVIEWERS LOOK FOR

Knowing .relaxedHTTPSValidation() and why it should be limited to test environments, the trust store option for specific CAs, and the key store option for mutual TLS. Bonus: explaining the risk of using relaxed validation globally.

// COMMON PITFALL

Calling RestAssured.useRelaxedHTTPSValidation() in a global setup method, which applies to all tests including those targeting production-like staging environments where cert validation should pass.

// Related questions

What is the difference between authentication and authorisation?

API testing

How do try-with-resources statements work? Why are they preferred over try-finally?

Core Java

How does Karate handle SSL/TLS issues for testing?

Karate