diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
index e3f9703fbf..3e10360b05 100644
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
@@ -118,6 +118,7 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
 						SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
 			}
 			if (sslStoreProvider.getTrustStore() != null) {
+				protocol.setTruststorePass("");
 				protocol.setTruststoreFile(
 						SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
 			}
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
index a81747a3a2..286f9417b3 100644
--- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
+++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
@@ -31,8 +31,10 @@ import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 
+import org.springframework.boot.testsupport.rule.OutputCapture;
 import org.springframework.boot.web.server.Ssl;
 import org.springframework.boot.web.server.SslStoreProvider;
 import org.springframework.core.io.ClassPathResource;
@@ -54,6 +56,9 @@ public class SslConnectorCustomizerTests {
 
 	private Connector connector;
 
+	@Rule
+	public OutputCapture output = new OutputCapture();
+
 	@Before
 	public void setup() {
 		this.tomcat = new Tomcat();
@@ -64,6 +69,7 @@ public class SslConnectorCustomizerTests {
 
 	@After
 	public void stop() throws Exception {
+		System.clearProperty("javax.net.ssl.trustStorePassword");
 		ReflectionTestUtils.setField(TomcatURLStreamHandlerFactory.class, "instance",
 				null);
 		ReflectionTestUtils.setField(URL.class, "factory", null);
@@ -167,6 +173,7 @@ public class SslConnectorCustomizerTests {
 	@Test
 	public void customizeWhenSslStoreProviderPresentShouldIgnorePasswordFromSsl()
 			throws Exception {
+		System.setProperty("javax.net.ssl.trustStorePassword", "trustStoreSecret");
 		Ssl ssl = new Ssl();
 		ssl.setKeyPassword("password");
 		ssl.setKeyStorePassword("secret");
@@ -179,6 +186,7 @@ public class SslConnectorCustomizerTests {
 		customizer.customize(connector);
 		this.tomcat.start();
 		assertThat(connector.getState()).isEqualTo(LifecycleState.STARTED);
+		assertThat(this.output.toString()).doesNotContain("Password verification failed");
 	}
 
 	private KeyStore loadStore() throws KeyStoreException, IOException,