Adding .crt to Spring Boot to enable SSL

Question

I have never done this before, and most of the tutorials do not mention how to deal with .crt files.

I bought an SSL certificate from GoDaddy, and selected Tomcat as a platform when downloading it. The zip file contained 3 files:

dea08asdjakjawl.crt  
gd_bundle-g1-g1.crt  
gdig.crt.pem  

I have a running Spring Boot application (on port 80 with an embedded Tomcat) on a CentOS7 server. (Server is running on Digital Ocean, it has an assigned domain, and works with simple http)

I would like to switch it to https://something.com

All the tutorials suggest that I must have a .jks or a .p12 file for that, but I wasn't able to convert the .crt files to that. Beside I am not sure which of the 2 .crt file is the one I should convert to .jks/.p12.

I have added this to my application.yaml, but didn't help:

server:    
  port: 443  
  ssl:  
    enabled: true  
    key-alias: server  
    key-store: "cert.crt"  
    key-store-password: "***"  

How can I change my running Spring Boot project to accept HTTPS queries using this certificate?

Answer 1

So the correct procedure was the following:

I had to recreate the CSR from scratch, using a Java Key Store instead.

keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048

Then a new CSR:

keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr

That had to be resent to the cert provider to generate a new .cer file. So they sent me back the mentioned 2 .cer files, the "bundle" one was the intermediate .cer, which I needed to add like this:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks

Then the actual "long-named" .cer file like this:

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks

Then this is something which can be converted to p12 like this:

 keytool -importkeystore -srckeystore <MY_KEYSTORE.jks> -destkeystore <MY_FILE.p12> -srcstoretype JKS -deststoretype PKCS12 -deststorepass <PASSWORD_PKCS12> -srcalias <ALIAS_SRC> -destalias <ALIAS_DEST>

Finally the application.properties needed extra lines and became something like this:

server.port=443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=password
server.ssl.key-alias=domain
server.ssl.key-password=password

And it is finally working.

Answer 2

I had this problem before when working with Spring Boot. The Certificate Authority sent me a folder consists of:

• domain-name.crt (certificate file generated against the domain name)
• bundle.crt (contains CA root and/or intermediate certificates reference. For details about CA root and intermediate certificates click here.

Spring Boot only understands certificate files in .JKS / PKCS12. We need to convert .CRT file into a .JKS format file. Here are the steps:

1. Convert certificate to PKCS12 format openssl pkcs12 -export -in <domain-name.crt> -inkey </path-to private.key> -name <alias-name> -out <domain-name.p12>. This will generate a .p12 file
2. Import PKCS12 file in JKS keystore keytool -importkeystore -deststorepass <pass-phrase> -destkeystore keystore.jks -srckeystore <your .p12 file> -srcstoretype PKCS12. A file with .jks extension will be created.
3. Import CA bundle certificate into JKS keystore keytool -import -alias <alias-name> -trustcacerts -file <bundle.crt> -keystore keystore.jks

Note:

Private.key is a key that you generate for the CA to use it for certificate issuing.
pass-phrase is a password that protect your private key. That you provide will creating the private.key. For more info

Finally copy .jks file to your project /resource folder and update application.properies file.

server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=<pass-phrase>
server.ssl.key-alias=<alias-name>

And it should work.

Answer 3

You need to create a keystore and a trusstore(or use default trusstore provided by java). keystore will contain your private key and server certificate. truststore will contain your ca certificate. to create a p12 keystore-

openssl pkcs12 -export -in [path/to/certificate] -inkey [path/to/privatekey] -certfile [path/to/ca/certificate ] -out keystore.p12

enter a password for keystore. configure this keystore in your application.yaml.

For trust-store entry, if using java's default trust-store then add your ca certificate to ...jre/lib/security/cacerts

keytool -import -trustcacerts -alias root -file ca.crt -keystore cacerts

or you can create trusstore then configure this truststore in your application.yaml

all keytool commands you can easily find on internet to convert/create/import/export/list...

Provided 3 files you can check which is which- 1. should be your certificate 2. should be ca certificate chain

Answer 4

If you want Openssl to be added to spring boot.

Follow below steps if you already installed openssl software. //create key and public certificate

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

//test

openssl x509 -text -noout -in certificate.pem

//combine key and public certificate

openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

//test

openssl pkcs12 -in certificate.p12 -noout -info

In spring boot properies add below

server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:certificate.p12
# The password used to generate the certificate
server.ssl.key-store-password=password

reference

Answer 5

If using Java, one generates the private key and the CSR using the keytool command using the -keystore parameter. I admit that I do not know if and how it is possible to import existing ones into a keystore (keytool allows import of certificates), but there might be a way.

In the worst case scenario, re-generate the CSR with key tool and re-generate the SSL/TLS certificates again - it should come at no extra cost.