RSS

Tag Archives: Security

SSL configuration on spring boot application with self signed certificate


Let’s start with What?

SSL – (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral

Self signed certificate – is an identity certificate that is signed by the same entity whose identity it certifies

Keystore and Truststore – is used to store SSL certificates in Java but there is subtle difference between them. truststore is used to store public certificates while keystore is used to store private certificates of client or server

Let’s pretend you need to build simple application with spring boot(with fat jar deployment) and you need to expose the application with encryption(over https). In oder to do that you have to configure the spring boot application over https by adding the key-store which holds the certificates. So when its comes to get the certificate you have to choices either self signed or signed by one of the public certificate authorities(CAs)

Now the question is why we need to go for the self signed certificate rather public CA signed certificate. The main reason that people do self-signed certificates because it doesn’t add any cost it is free, But if the site is public facing it would be better to go for the public CA signed certificate rather the self signed. So if you have public CA signed certificate then client browser do verify the certificate without any problem because the browser by default identifies the public CAs otherwise it will show as follows which is not trusted site unless you import the certificate to the browser trust store.

screen-shot-2017-01-28-at-10-10-56-am

The good thing is you will get the encryption over https no matter which certificate you use.

Best scenario that I’m thinking is to create a self-signed certificate when you are in DEV and TEST environments but when you need to expose that to PROD which will be exposing to public use the public CA signed certificate. But if it is internal facing then you can still use the self-signed certificate once you have registered the certificate on clients browser trust stores.

How to create the self signed certificate with JAVA key-tool.

1. Create Java Key Store with certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -storepass ${PASS_WORD} -validity 360 -keysize 2048

screen-shot-2017-01-28-at-10-54-29-am

2. List out the details of the given keystore 

keytool -v -list -keystore ${PATH_TO_KEYSTORE}/keystore.jks

Screen Shot 2017-01-28 at 11.03.51 AM.png

3. Export self-signed certificate if you want to distribute to the clients.

keytool -exportcert -rfc -alias selfsigned -keystore ${DEST_PATH}/keystore.jks -file ${DEST_PATH}/selfsigned.crt

Screen Shot 2017-01-28 at 10.59.21 AM.png

4. Verify the certificate

keytool -printcert -file ${PATH_TO_CERTIFCATE}/selfsigned.crt

Screen Shot 2017-01-28 at 11.12.26 AM.png

So now need to expose your .jks file to spring boot application and configure that to be exposed as https. Fist of all place your keystore.jks file on the class path and then set the following properties in application-*.properties file.

server.port=8443
server.ssl.key-alias=selfsigned
server.ssl.key-password=test123
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

 

 
4 Comments

Posted by on January 28, 2017 in java, Other, spring

 

Tags: , , , , ,

 
%d bloggers like this: