1. Can I specify keystore using either of these properties - the Java-specific javax.net.ssl.keyStore or the spring boot specific server.ssl.key-store. Any differences? I would like to use the keystore for serving my app using https as well as mutual client authentication with some REST services

2. Can the SpringBoot application be served using https if the keystore is not specified as a property or jvm argument, rather is read at the startup using custom code? Or does the keystore specification have to come before that if the app has to be served using https?

Those two properties have complementary roles:

• javax.net.ssl.keyStore is a system property used by the Java security providers to configure the default SSLContext. Most SSL clients use the default SSLContext.

  You don't need to pass this property as -D argument to the JVM, you can set it programmatically at a very early stage of your application startup, but I would advise against it: since your application may not be the only application in the JVM (e.g. your run it as WAR archive), you will influence the behavior of other applications. Use a non-default SSLContext instead.

• server.ssl.keyStore is a Spring property to configure the server socket of the embedded servlet container. It can come from many different sources.

  While in theory a servlet container can use the default SSLContext and retrieve its certificate from the default KeyManager (which loads its keys from the keystore specified through javax.net.ssl.keyStore), I don't know any servlet container that would actually do it.

  Usually the certificate used as SSL client is not the same as the one used as SSL server.