RSS

SSL configuration on spring boot application with self signed certificate

28 Jan

Let’s start with What?

SSL – (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral

Self signed certificate – is an identity certificate that is signed by the same entity whose identity it certifies

Keystore and Truststore – is used to store SSL certificates in Java but there is subtle difference between them. truststore is used to store public certificates while keystore is used to store private certificates of client or server

Let’s pretend you need to build simple application with spring boot(with fat jar deployment) and you need to expose the application with encryption(over https). In oder to do that you have to configure the spring boot application over https by adding the key-store which holds the certificates. So when its comes to get the certificate you have to choices either self signed or signed by one of the public certificate authorities(CAs)

Now the question is why we need to go for the self signed certificate rather public CA signed certificate. The main reason that people do self-signed certificates because it doesn’t add any cost it is free, But if the site is public facing it would be better to go for the public CA signed certificate rather the self signed. So if you have public CA signed certificate then client browser do verify the certificate without any problem because the browser by default identifies the public CAs otherwise it will show as follows which is not trusted site unless you import the certificate to the browser trust store.

screen-shot-2017-01-28-at-10-10-56-am

The good thing is you will get the encryption over https no matter which certificate you use.

Best scenario that I’m thinking is to create a self-signed certificate when you are in DEV and TEST environments but when you need to expose that to PROD which will be exposing to public use the public CA signed certificate. But if it is internal facing then you can still use the self-signed certificate once you have registered the certificate on clients browser trust stores.

How to create the self signed certificate with JAVA key-tool.

1. Create Java Key Store with certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -storepass ${PASS_WORD} -validity 360 -keysize 2048

screen-shot-2017-01-28-at-10-54-29-am

2. List out the details of the given keystore 

keytool -v -list -keystore ${PATH_TO_KEYSTORE}/keystore.jks

Screen Shot 2017-01-28 at 11.03.51 AM.png

3. Export self-signed certificate if you want to distribute to the clients.

keytool -exportcert -rfc -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -file ${DEST_PATH}/selfsigned.crt

Screen Shot 2017-01-28 at 10.59.21 AM.png

4. Verify the certificate

keytool -printcert -file ${PATH_TO_CERTIFCATE}/selfsigned.crt

Screen Shot 2017-01-28 at 11.12.26 AM.png

So now need to expose your .jks file to spring boot application and configure that to be exposed as https. Fist of all place your keystore.jks file on the class path and then set the following properties in application-*.properties file.

server.port=8443
server.ssl.key-alias=selfsigned
server.ssl.key-password=test123
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

 

Advertisements
 
6 Comments

Posted by on January 28, 2017 in java, Other, spring

 

Tags: , , , , ,

6 responses to “SSL configuration on spring boot application with self signed certificate

  1. Xavier

    March 29, 2017 at 12:59 pm

    Hello, when I use your tutorial in my project gives me this error

    ***************************
    APPLICATION FAILED TO START
    ***************************

    Description:

    The Tomcat connector configured to listen on port 8443 failed to start. The port may already be in use or the connector may be misconfigured.

    Action:

    Verify the connector’s configuration, identify and stop any process that’s listening on port 8443, or configure this application to listen on another port.

     
    • malalanayake

      March 29, 2017 at 1:02 pm

      You may have another process up and running on 8443, basically you have port conflict. Try to start the application with different port by setting this property
      server.port=8484

       
      • Xavier

        March 29, 2017 at 1:05 pm

        I tried with many ports 8484, 9999, 9090 and allways same error except change listener port

         
    • malchik

      June 29, 2017 at 5:00 am

      Did you get a resolution? I am having the same issue.

       
  2. Arian

    April 14, 2017 at 4:45 am

    Hello. I’m following your tutorial. I put the jks file in the src/main/resources. What should I do with the crt file ? thanks.

     
    • Irinel Pascal

      June 16, 2017 at 6:36 am

      you need to import it or export in postman or chrome or whatever you use

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: