Generating HTTPS Certificates

Self Signed HTTPS key

  • $ openssl genrsa -out https.key 2048 will generate the private key called https.key in the local directory. Then, $ openssl req -new -x509 -key https.key -out https.cert -days 3650 -subj /CN=home.susaansart.com will generate the https.cert from the private key.

With Java Spring Boot Security

The steps provided in this section are strictly for non-production purposes. In a production setting, the certificate and passwords should be checked-out from a certificate management service.

Generating the Certificate

  • To configure HTTPS for Java Spring Boot application testing or a POC, we can generate a self-signed certificate using OpenSSL as given above or starting with $ openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -days 365.

  • In our example, we provide the password 12345.

  • The command outputs two files: key.pem (the private key) and cert.pem (the public certificate). These files are required to generate self-signed certificates for enabling HTTPS in our Spring Boot application.

Generating the PKCS12 key

  • In most cases, this certificate is the Public Key Cryptography Standard #12 (PKCS12). On a less frequent basis, the Java KeyStore (JKS) format is used.

  • $ openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name "certificate"

  • This command takes the two previously generated files (key.pem and cert.pem) and creates the self-signed PKCS12 certificate file certificate.p12.

Configuring Spring Boot

  • Place this certificate.p12 file in the Spring Boot application’s src/main/resources folder.

  • Add the following lines into the application.properties file:

server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:certificate.p12    # The PKCS12 certificate file name
server.ssl.key-store-password=12345               # The password used to create this file

Testing the application

The Spring Boot application should have a HTTPS test endpoint which can be created similar to the code provided below:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {

    @GetMapping("/hello")
    public String hello() {
        return "Hello!";
    }
}
  • The code above, created in the class file HelloController.java, with a HTTP endpoint mapped to /hello.

  • We can use $ curl -u user:b857af76-e94a-4ba4-98a9-e990f932f84e -k https://localhost:8080/hello to test this endpoint.

  • The -k option skips testing the authenticity of the certificate.

  • The -u option provides the default Spring Boot Security configured user user and the automatically generated password each time the application is executed.

  • The response should be Hello! as shown in the code above.

For completeness, the relevant sections in the pom.xml are provided here to show that only the spring boot web and spring boot security dependencies are required for the exercise above.

<properties>
        <java.version>15</java.version>
</properties>

<dependencies>
        <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-test</artifactId>
                <scope>test</scope>
        </dependency>
        <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-test</artifactId>
                <scope>test</scope>
        </dependency>
</dependencies>

Let’s Encrypt Certificate

Installing NGINX and the site

  • Install nginx: # apt install -y nginx

  • Create a simple nginx configuration file called thomas-pk.conf in /etc/nginx/sites-available/ as shown below:

 1server {
 2    server_name thomas-pk.com www.thomas-pk.com;
 3    root /var/www/html;
 4    index index.html index.htm;
 5
 6    location / {
 7        try_files $uri $uri/ =404;
 8    }
 9
10    location /notes/ {
11      proxy_pass http://192.168.1.71:80/;
12    }
13}
  • # ln -s /etc/nginx/sites-available/thomas-pk.conf /etc/nginx/sites-enabled/thomas-pk.conf to enable the site configuration in nginx. Remove any other configuration file that is here if it is not required. The nginx configuration file must have a .conf suffix

  • # nginx -t to test if the configuration is correct for nginx.

  • # systemctl restart nginx to restart and reload the new nginx configuration.

Installing Certbot and apply for the certificate

  • Install certbot: # apt install -y python3-certbot-nginx to install certbot.

  • Allow all internet connection access on the firewall for port 80 and port 443. Both ports being open are also required for renewals.

  • # certbot --nginx -d thomas-pk.com -d www.thomas-pk.com. This should completes the certbot renewal process.

  • $ sudo certbot renew --dry-run to see if the firewall ports are open to do a certificate renewal.