13

I have this certificates / files in order to enable SSL for my application:

certificates

I found out that this properties are needed for Spring Boot to enable HTTPS:

server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

but this does not work. My question now would be what do I have to do in order to get it work? https://abc.lehr.co.at should be the URL.

[EDIT]

I have created my own keystore - with this I get the following exception:

java.io.IOException: Alias name tomcat does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:596)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:739)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:472)
at org.apache.coyote.http11.Http11NioProtocol.start(Http11NioProtocol.java:81)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)

My keystore looks like this:

Keystore

Actually I don't know what to import into keystore for embedded tomcat (Spring Boot).

quma
  • 5,233
  • 26
  • 80
  • 146
  • `server.ssl.enabled=true` would be a good start. – Marc Tarin Mar 28 '18 at 12:26
  • 1
    There are tons of example available [online](https://www.google.fr/search?q=spring+boot+ssl+configuration). Give it a try first, and if you are stuck, give us the detail of what you tried and what failed. – Marc Tarin Mar 28 '18 at 12:55
  • 1
    https://stackoverflow.com/questions/29522114/how-to-add-self-signed-ssl-certificate-to-jhipster-sample-app/29582178#29582178 – Bhushan Uniyal Apr 03 '18 at 13:22
  • 1
    Does anyone know how to achieve above pro grammatically in spring boot. We've to read keystore file path and password at run time from a remote location and fill in this assuming SSL object and would like spring to inject that as part of it's initialization. Anyidea? – Simple-Solution Jul 13 '18 at 18:00

5 Answers5

16

To enable SSL, you must provide a private key, and not a trusted certificate.

In your keystore, 'tomcat' should be listed as an alias for a privatekeyentry and not a trustedcertentry.

Camille Vienot
  • 727
  • 8
  • 6
3

You have to pack your private keys to PFX file or P12 with specifiyng aliases. So, it will be picked up accordingly from the keyStore after loading materials.

Use this tool to figure out what alias are:

keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
AlexGera
  • 756
  • 9
  • 19
2
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat << This should be the alias of yourfile.12 if you have forgotten just create a new one and replace it>>

And dnt forget to add 

security.require-ssl=true <<Tell Spring Security (if used) to require requests over HTTPS>>
joe cutter
  • 183
  • 2
  • 4
0

I'd suggest you create your KeyStore in JKS format: 

 keytool -genkey -keyalg RSA -alias my_alias -keystore keystore.jks -storepass password -validity 360 -keysize 2048

then add the configuration: 

server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.jks
server.ssl.key-store-password=****
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my_alias
rena
  • 1,223
  • 3
  • 17
  • 30
  • The format doesn't matter; Java and Spring have handled all formats for a long time, as long as you specify correctly. Also since 9 (since Dec. 2018) keytool no longer defaults to JKS anyway. **Using `-genkey` _does_ help _if_ your clients will accept a selfsigned cert**, which not all will. – dave_thompson_085 Apr 19 '19 at 22:16
0

First you may convert your .pem file to a DER and then generate a keystore. See https://stackoverflow.com/a/13992135/16358980 how to do this.

In your application.properties, change key-store property to your generated keystore file:

server.ssl.key-store=<your-generated-keystore>
Luiz Xavier
  • 9