Generating HTTPS Certificates
Self Signed HTTPS key
$ openssl genrsa -out https.key 2048
will generate the private key called https.key in the local directory. Then,$ openssl req -new -x509 -key https.key -out https.cert -days 3650 -subj /CN=home.susaansart.com
will generate thehttps.cert
from the private key.
With Java Spring Boot Security
The steps provided in this section are strictly for non-production purposes. In a production setting, the certificate and passwords should be checked-out from a certificate management service.
Generating the Certificate
To configure HTTPS for Java Spring Boot application testing or a POC, we can generate a self-signed certificate using OpenSSL as given above or starting with
$ openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -days 365
.In our example, we provide the password
12345
.The command outputs two files: key.pem (the private key) and cert.pem (the public certificate). These files are required to generate self-signed certificates for enabling HTTPS in our Spring Boot application.
Generating the PKCS12 key
In most cases, this certificate is the Public Key Cryptography Standard #12 (PKCS12). On a less frequent basis, the Java KeyStore (JKS) format is used.
$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name "certificate"
This command takes the two previously generated files (key.pem and cert.pem) and creates the self-signed PKCS12 certificate file certificate.p12.
Configuring Spring Boot
Place this certificate.p12 file in the Spring Boot application’s
src/main/resources
folder.Add the following lines into the application.properties file:
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:certificate.p12 # The PKCS12 certificate file name
server.ssl.key-store-password=12345 # The password used to create this file
Testing the application
The Spring Boot application should have a HTTPS test endpoint which can be created similar to the code provided below:
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "Hello!";
}
}
The code above, created in the class file HelloController.java, with a HTTP endpoint mapped to
/hello
.We can use
$ curl -u user:b857af76-e94a-4ba4-98a9-e990f932f84e -k https://localhost:8080/hello
to test this endpoint.The
-k
option skips testing the authenticity of the certificate.The
-u
option provides the default Spring Boot Security configured useruser
and the automatically generated password each time the application is executed.The response should be
Hello!
as shown in the code above.
For completeness, the relevant sections in the pom.xml are provided here to show that only the spring boot web and spring boot security dependencies are required for the exercise above.
<properties>
<java.version>15</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
Let’s Encrypt Certificate
Installing NGINX and the site
Install nginx:
# apt install -y nginx
Create a simple nginx configuration file called
thomas-pk.conf
in/etc/nginx/sites-available/
as shown below:
1server {
2 server_name thomas-pk.com www.thomas-pk.com;
3 root /var/www/html;
4 index index.html index.htm;
5
6 location / {
7 try_files $uri $uri/ =404;
8 }
9
10 location /notes/ {
11 proxy_pass http://192.168.1.71:80/;
12 }
13}
# ln -s /etc/nginx/sites-available/thomas-pk.conf /etc/nginx/sites-enabled/thomas-pk.conf
to enable the site configuration in nginx. Remove any other configuration file that is here if it is not required. The nginx configuration file must have a .conf suffix# nginx -t
to test if the configuration is correct for nginx.# systemctl restart nginx
to restart and reload the new nginx configuration.
Installing Certbot and apply for the certificate
Install certbot:
# apt install -y python3-certbot-nginx
to install certbot.Allow all internet connection access on the firewall for port 80 and port 443. Both ports being open are also required for renewals.
# certbot --nginx -d thomas-pk.com -d www.thomas-pk.com
. This should completes the certbot renewal process.$ sudo certbot renew --dry-run
to see if the firewall ports are open to do a certificate renewal.