Why Maven's Resource Filtering Breaks Binary Certificates and How to Fix It

In this article the author describes a puzzling .p12 certificate loading failure in a Spring Boot project that turned out to be caused by Maven’s default resource filtering, which treats binary files as text and corrupts them during packaging.

1. Certificate loading process

The .p12 file is placed in src/main/resources and loaded via getResourceAsStream, then a KeyStore of type PKCS12 is initialized and the certificate is loaded.

InputStream certStream = this.getClass().getClassLoader()
    .getResourceAsStream("bank/NJPS0001-ECP_For_Test.p12");
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(certStream, password);

When the application is packaged, Spring Boot fails to start with the error

DerInputStream.getLength(): lengthTag=111, too big.

2. Initial troubleshooting

Changing the path to an absolute file system location and reading the file with new FileInputStream() makes the loading succeed, indicating that the packaged resource is corrupted.

Inspecting the file size before and after packaging shows that the .p12 file grows from 3.1 KB to 5.2 KB, confirming that Maven altered its binary structure.

3. Maven resource filtering

Maven applies resource filtering to files under src/main/resources, performing placeholder substitution, UTF‑8 encoding, and injecting values from pom.xml. Because a .p12 file is binary, treating it as text corrupts it.

4. Solution – dual resource configuration

Configure Maven to filter only text resources and exclude binary certificates, or create a separate resource set with filtering=false for the certificate files.

<build>
  <resources>
    <!-- normal text resources with filtering -->
    <resource>
      <directory>src/main/resources</directory>
      <filtering>true</filtering>
    </resource>
    <!-- binary certificates without filtering -->
    <resource>
      <directory>src/main/resources</directory>
      <filtering>false</filtering>
      <includes>
        <include>**/*.p12</include>
        <include>**/*.crt</include>
        <include>**/*.cer</include>
      </includes>
    </resource>
  </resources>
</build>

Alternatively, keep certificates outside the JAR and reference them via absolute paths or environment variables.

Best practices

Set filtering=false for binary resources.

Use ClassPathResource in Spring Boot instead of new File() when reading classpath files.

Configure different profiles for dev and prod to supply external certificate paths.

Add MD5 checksum validation in CI/CD pipelines to detect accidental corruption.

This tip highlights a hidden pitfall of Maven’s resource filtering and provides a reliable way to handle binary files such as certificates in Java backend projects.