RSS

Monthly Archives: January 2017

SSL configuration on spring boot application with self signed certificate


Let’s start with What?

SSL – (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral

Self signed certificate – is an identity certificate that is signed by the same entity whose identity it certifies

Keystore and Truststore – is used to store SSL certificates in Java but there is subtle difference between them. truststore is used to store public certificates while keystore is used to store private certificates of client or server

Let’s pretend you need to build simple application with spring boot(with fat jar deployment) and you need to expose the application with encryption(over https). In oder to do that you have to configure the spring boot application over https by adding the key-store which holds the certificates. So when its comes to get the certificate you have to choices either self signed or signed by one of the public certificate authorities(CAs)

Now the question is why we need to go for the self signed certificate rather public CA signed certificate. The main reason that people do self-signed certificates because it doesn’t add any cost it is free, But if the site is public facing it would be better to go for the public CA signed certificate rather the self signed. So if you have public CA signed certificate then client browser do verify the certificate without any problem because the browser by default identifies the public CAs otherwise it will show as follows which is not trusted site unless you import the certificate to the browser trust store.

screen-shot-2017-01-28-at-10-10-56-am

The good thing is you will get the encryption over https no matter which certificate you use.

Best scenario that I’m thinking is to create a self-signed certificate when you are in DEV and TEST environments but when you need to expose that to PROD which will be exposing to public use the public CA signed certificate. But if it is internal facing then you can still use the self-signed certificate once you have registered the certificate on clients browser trust stores.

How to create the self signed certificate with JAVA key-tool.

1. Create Java Key Store with certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -storepass ${PASS_WORD} -validity 360 -keysize 2048

screen-shot-2017-01-28-at-10-54-29-am

2. List out the details of the given keystore 

keytool -v -list -keystore ${PATH_TO_KEYSTORE}/keystore.jks

Screen Shot 2017-01-28 at 11.03.51 AM.png

3. Export self-signed certificate if you want to distribute to the clients.

keytool -exportcert -rfc -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -file ${DEST_PATH}/selfsigned.crt

Screen Shot 2017-01-28 at 10.59.21 AM.png

4. Verify the certificate

keytool -printcert -file ${PATH_TO_CERTIFCATE}/selfsigned.crt

Screen Shot 2017-01-28 at 11.12.26 AM.png

So now need to expose your .jks file to spring boot application and configure that to be exposed as https. Fist of all place your keystore.jks file on the class path and then set the following properties in application-*.properties file.

server.port=8443
server.ssl.key-alias=selfsigned
server.ssl.key-password=test123
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

 

 
6 Comments

Posted by on January 28, 2017 in java, Other, spring

 

Tags: , , , , ,

How to make the java runtime to trust the certificate present by the host


URL -https://my-site.com/test

Let’s start with simple example. If you invoke above URL through your simple java application you will simply get the SSLHandshakeException because it is exposed as https endpoint and the java runtime is not going to trust the certificate that present through the URL call. So before you invoke the service you have to present the certificate to your java runtime to trust the certificate. Then when ever you call the URL it will trust the certificate. You can do this in two different ways as follows.

  1. Download and import the certificate to your java runtime certificate store.
  2. Write the code in your program to trust the certificate provided by the host.

1. Download and import the certificate to your java runtime certificate store.

First of all you have to download the certificate from the host. In order to do that you can simply go to the URL through the browser and then download the certificate to your local machine as .cer file.

In Chrome browser you can simply go to the certificate as follows and drag and drop to the local folder. I choose the https://google.com as a example.

1

2

So once you have downloaded the certificate  you should be able to use the keytool to import the certificate.

keytool -import -alias google -keystore ${PATH_TO_JDK}/jre/lib/security/cacerts -file ${PATH_TO_CERT_FILE}

You have to provide the keystore password as “changeit” unless you have customized it.

ex/

keytool -import -alias google -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre/lib/security/cacerts -file /Users/dmalalan/Documents/www.google.com.cer

3

screen-shot-2017-01-14-at-11-48-44-am

2. Write the code in your program to trust the certificate provided by the host

You need to use the following code sample before you invoke the URL. This is just allow the runtime to trust all the certificates presented by the host but you need to be careful with this approach because host can present the bogus certificates.

screen-shot-2017-01-14-at-11-55-53-am

References : sample code & sample instructions

 
Leave a comment

Posted by on January 14, 2017 in java, Other, web

 

Tags: , , ,

 
%d bloggers like this: