Spring Boot with TLS
Note: These steps were taken from Secure Spring Boot Applications with TLS and HTTP/2. All Keys and CAs in these folders are provided for example purposes only and SHOULD not be used for any production purposes other than demonstrating capabilities.
Setting up a private Certificate Authority (CA)
Certificate for Root CA
keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 3072 -alias root-ca \
-dname "CN=My Root CA,OU=Development,O=My Organization,C=DE" \
-ext BC:c=ca:true -ext KU=keyCertSign -validity 3650 \
-keystore ./root-ca/ca.jks -storepass secret -keypass secret
keytool -exportcert -keystore ./root-ca/ca.jks -storepass secret \
-alias root-ca -rfc -file ./root-ca/ca.pem
Signed Server Certificate
keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 3072 \
-alias localhost -dname "CN=localhost,OU=Development,O=My Organization,C=DE" \
-ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
-validity 3650 -keystore ./server/server.jks -storepass secret -keypass secret
keytool -certreq -keystore ./server/server.jks -storepass secret \
-alias localhost -keypass secret -file ./server/server.csr
keytool -gencert -storetype pkcs12 -keystore ./root-ca/ca.jks -storepass secret \
-infile ./server/server.csr -alias root-ca -keypass secret \
-ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
-validity 3650 -rfc -outfile ./server/server.pem
keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias root-ca -keypass secret -file ./root-ca/ca.pem \
keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias localhost -keypass secret -file ./server/server.pem
Configure TLS in Spring Boot
To enable TLS put the following entries into your application.properties file.
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:tls/server/server.jks
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=secret
server.ssl.key-alias=localhost
server.ssl.key-password=secret
With these property entries you will change the following behavior:
The application is started on port 8443 instead of port 8080 (by convention this is the usual port for HTTPS connections).
Use our new java key store server.jks which is of type PKCS12 and is opened with given store password
Define the alias of public/private key to use for the server certificate with corresponding key password
Important: Please do not forget to copy the java key store file server.jks you have created in previous section into the src/main/resource folder of the new spring boot application.
Last updated
Was this helpful?