Enable TLS Springboot

Enable TLS in SpringBoot, Troubleshoot Errors and more

In this post, we are going to learn on How to Enable TLS in Springboot, and Troubleshoot Errors. I hope you are familiar with Java and SpringBoot.

  1. JKS – Java Keystore (Specific to Java)
  2. PKCS – Public-private Key Cryptography Standard (Open Standard)

Let’s create a JKS type Keystore file using the following command.

keytool -genkey -alias springboot -keyalg RSA -keysize 4096 -validity 365 -dname "CN=example.com,OU=def,O=zee,L=ghi,S=ca,C=us" -keypass springboot -keystore keystore.jks -storeType jks -storepass springboot
  • Alias – name to identify the generated key pair in the Keystore (there can be multiple key pairs stored in Keystore)
  • Keyalg – Algorithm used to generate the key pair
  • Keysize and validity – size of the generated and validity period e.g. 365 days

Note that this generated certificate is a self-signed certificate. You can use this for internal APIs, but for publicly exposed APIs you need to request a signed certificate from a certificate authority and import that.

Ok now a keystore file called keystore.jks should be created in the directory, you run the above command. Now copy that file to your maven spring-boot project root directory and add the following properties to your application.properties file.

server.ssl.key-store=keystore.jks
server.ssl.key-store-password=springboot
server.ssl.keyAlias=springboot

Now start the server and you should get the following in the console log. Previously it was http and now it has changed to https.

Tomcat started on port(s): 8080 (https) with context path

Now Let’s try to access our service. Here I have a spring-boot login service that takes the email and password validate a login. Following is the CURL command used to access the service.

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{"email" : "admin@geekposting.com","password" : "pass123"}' \
  https://localhost:8080/api/users/login

That’s it for enabling TLS for spring boot, next let’s explore some errors we encounter during the process.

Troubleshoot Errors enable TLS in Springboot

Self Signed Certificate issue in Curl client

After executing the command, we encountered the following error.

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This is because we are using a self-signed certificate. To overcome this, we need to get a public certificate from a CA, or for time being we can instruct curl to ignore the certificate validation using -k option.

Overcome the self-signed certificate issue by sharing the public certificate with the client.

There is another workaround to overcome the untrusted certificate problem, that’s by exporting the public certificate from Keystore and share with the client. Let’s export the certificate.

keytool -export -rfc  -file public.crt -alias springboot -keystore keystore.jks -storePass springboot

Now invoke the API using the public.crt file.

curl --cacert public.crt --header "Content-Type: application/json" \
  --request POST \
  --data '{"email" : "admin@geekposting.com","password" : "pass123"}' \
  https://localhost:8080/api/users/login

Which will result in

“SSL: certificate subject name ‘example.com’ does not match target hostname ‘localhost’.”.

Now check the CN value given when creating the Keystore. In this case, it’s ‘example.com’ add the example.com host entry to the /etc/hosts file and call the API with the host entry matching the CN value. That concludes, How to enable TLS in SpringBoot and Troubleshoot errors article.

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *