0

I've a web server running on an ec2-instance which internally calls a REST server that is built using Spring Boot. Now, I am trying to get this REST server running under SSL. Here's what I've done so far:

1) Created a CSR & a key file using this command

openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

2) Copied 'csr' to get SSL certificate from GoDaddy.

3) Successfully installed the certificate under Nginx on my ec2-instance.

4) When I hit the home page under https, it works. I no longer get 'Not secure' message from the browser.

5) Login fails because it makes a REST call but REST server is not running under SSL so I am trying to get it running under SSL.

6) Ran following commands:

keytool -import -alias mydomain -keystore tomcat.keystore -trustcacerts -file mydomain.com.chained.crt
keytool -import -alias mydomain-key -keystore tomcat.keystore -trustcacerts -file mydomain.key

The previous command gives me an error message: "keytool error: java.lang.Exception: Input not an X.509 certificate"

But this was the one created in step 1 above & the same file works under Nginx. What am I missing (other than the fact that I know very little about setting up SSLs!)? I need the second command to specify the value of 'server.ssl.keyAlias' in application.properties, I believe.

DilTeam
  • 2,551
  • 9
  • 42
  • 69

2 Answers2

2

Not really an answer but overflowed comment.

You don't need to 'generate' an X.509 cert; you already got that from GoDaddy. If (and only if) the SpringBoot server is accessed by the same name(s) as (external) nginx -- which is unclear to me -- you need to convert the pair of private key AND certificate CHAIN from PEM format to a format Java uses. See:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
How to use .key and .crt file in java that generated by openssl?
Importing the private-key/public-certificate pair in the Java KeyStore
maybe Import key and SSL Certificate into java keystore

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
1

Thanks @Dave_thompson_085. Following 2 commands did the trick!

openssl pkcs12 -export -in mydomain.com.chained.crt -inkey mydomain.key -out keystore.p12 -name my-alias -caname root

keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias my-alias

and then in the application.properties I specified following properties:

server.port=8443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=/etc/nginx/ssl/keystore.jks
server.ssl.key-store-password=mypassword
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my-alias
DilTeam
  • 2,551
  • 9
  • 42
  • 69