Adding .crt to Spring Boot to enable SSL
So the correct procedure was the following:
I had to recreate the CSR from scratch, using a Java Key Store instead.
keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048
Then a new CSR:
keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr
That had to be resent to the cert provider to generate a new .cer file. So they sent me back the mentioned 2 .cer files, the "bundle" one was the intermediate .cer, which I needed to add like this:
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks
Then the actual "long-named" .cer file like this:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks
Then this is something which can be converted to p12 like this:
keytool -importkeystore -srckeystore <MY_KEYSTORE.jks> -destkeystore <MY_FILE.p12> -srcstoretype JKS -deststoretype PKCS12 -deststorepass <PASSWORD_PKCS12> -srcalias <ALIAS_SRC> -destalias <ALIAS_DEST>
Finally the application.properties needed extra lines and became something like this:
server.port=443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=password
server.ssl.key-alias=domain
server.ssl.key-password=password
And it is finally working.
I had this problem before when working with Spring Boot. The Certificate Authority sent me a folder consists of:
- domain-name.crt (certificate file generated against the domain name)
- bundle.crt (contains CA root and/or intermediate certificates reference. For details about CA root and intermediate certificates click here.
Spring Boot only understands certificate files in .JKS / PKCS12. We need to convert .CRT file into a .JKS format file. Here are the steps:
- Convert certificate to PKCS12 format
openssl pkcs12 -export -in <domain-name.crt> -inkey </path-to private.key> -name <alias-name> -out <domain-name.p12>. This will generate a .p12 file - Import PKCS12 file in JKS keystore
keytool -importkeystore -deststorepass <pass-phrase> -destkeystore keystore.jks -srckeystore <your .p12 file> -srcstoretype PKCS12. A file with .jks extension will be created. - Import CA bundle certificate into JKS keystore
keytool -import -alias <alias-name> -trustcacerts -file <bundle.crt> -keystore keystore.jks
Note:
Private.key is a key that you generate for the CA to use it for certificate issuing.
pass-phrase is a password that protect your private key. That you provide will creating the private.key. For more info
Finally copy .jks file to your project /resource folder and update application.properies file.
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=<pass-phrase>
server.ssl.key-alias=<alias-name>
And it should work.
You need to create a keystore and a trusstore(or use default trusstore provided by java). keystore will contain your private key and server certificate. truststore will contain your ca certificate. to create a p12 keystore-
openssl pkcs12 -export -in [path/to/certificate] -inkey [path/to/privatekey] -certfile [path/to/ca/certificate ] -out keystore.p12
enter a password for keystore. configure this keystore in your application.yaml.
For trust-store entry, if using java's default trust-store then add your ca certificate to ...jre/lib/security/cacerts
keytool -import -trustcacerts -alias root -file ca.crt -keystore cacerts
or you can create trusstore then configure this truststore in your application.yaml
all keytool commands you can easily find on internet to convert/create/import/export/list...
Provided 3 files you can check which is which- 1. should be your certificate 2. should be ca certificate chain
If you want Openssl to be added to spring boot.
Follow below steps if you already installed openssl software. //create key and public certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
//test
openssl x509 -text -noout -in certificate.pem
//combine key and public certificate
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
//test
openssl pkcs12 -in certificate.p12 -noout -info
In spring boot properies add below
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:certificate.p12
# The password used to generate the certificate
server.ssl.key-store-password=password
reference