# Spring Boot with TLS ***Note: These steps were taken from*** [***Secure Spring Boot Applications with TLS and HTTP/2***](https://blog.novatec-gmbh/%20.de/spring-boot-applications-tls-http2/)***. All Keys and CAs in these folders are provided for example purposes only and SHOULD not be used for any production purposes other than demonstrating capabilities.*** ## Setting up a private Certificate Authority (CA) ### Certificate for Root CA ``` keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 3072 -alias root-ca \ -dname "CN=My Root CA,OU=Development,O=My Organization,C=DE" \ -ext BC:c=ca:true -ext KU=keyCertSign -validity 3650 \ -keystore ./root-ca/ca.jks -storepass secret -keypass secret ``` ``` keytool -exportcert -keystore ./root-ca/ca.jks -storepass secret \ -alias root-ca -rfc -file ./root-ca/ca.pem ``` ### Signed Server Certificate ``` keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 3072 \ -alias localhost -dname "CN=localhost,OU=Development,O=My Organization,C=DE" \ -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \ -validity 3650 -keystore ./server/server.jks -storepass secret -keypass secret ``` ``` keytool -certreq -keystore ./server/server.jks -storepass secret \ -alias localhost -keypass secret -file ./server/server.csr ``` ``` keytool -gencert -storetype pkcs12 -keystore ./root-ca/ca.jks -storepass secret \ -infile ./server/server.csr -alias root-ca -keypass secret \ -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \ -validity 3650 -rfc -outfile ./server/server.pem ``` ``` keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias root-ca -keypass secret -file ./root-ca/ca.pem \ keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias localhost -keypass secret -file ./server/server.pem ``` ## Configure TLS in Spring Boot To enable TLS put the following entries into your application.properties file. ``` server.port=8443 server.ssl.enabled=true server.ssl.key-store=classpath:tls/server/server.jks server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=secret server.ssl.key-alias=localhost server.ssl.key-password=secret ``` With these property entries you will change the following behavior: * The application is started on port 8443 instead of port 8080 (by convention this is the usual port for HTTPS connections). * Use our new java key store server.jks which is of type PKCS12 and is opened with given store password * Define the alias of public/private key to use for the server certificate with corresponding key password Important: Please do not forget to copy the java key store file server.jks you have created in previous section into the src/main/resource folder of the new spring boot application. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://connector.interledger4j.dev/security-guide/tls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.