Login/Register
Client Certificate Authentication with Spring Boot
Asked Answered
Solved javaspringspring-bootssltruststore
M

1

9

I need to import a certificate in order to make a http request to an external service in a Spring Boot application.

How do I set up Spring Boot in order to do this?

There's a lot of information out there but I'm finding it all a bit confusing. It seems as though I may just need to create something like a "truststore.jks" keystore and import the correct certificate, and and add some entries to my application.properties.

Mabe answered 4/7, 2018 at 15:49 Comment(2)
If I understand correctly, you need ssl to connect to another web service? So, your app should be accessible with e.g.https://localhost. isn't it?Fausta
I need a specific client certificate to authenticate my requests to a third party service.Mabe
F
19

Start by generating a self-signed certificate using keytoolif you don't already have one

Open your terminal or cmd

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650

Answer all the questions. In the first question: what's your first name and last name put localhost.

If you have already a certificate yourcertificate.crt do this

keytool -import -alias tomcat -file yourcertificate.crt -keystore keystore.p12 -storepass password

You will get a file called keystore.p12.

Copy this file to your resources folder

Add the following lines to your properties file

# Define a custom port instead of the default 8080
server.port=8443

# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true

# The format used for the keystore 
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password= {your password here}
# The alias mapped to the certificate
server.ssl.key-alias=tomcat

Create a Config class as follows

@Configuration
public class ConnectorConfig {

    @Bean
    public TomcatServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(getHttpConnector());
        return tomcat;
    }

    private Connector getHttpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}

Now your application is accessible with https://localhost:8443

Now you can access your third service that asks you for ssl authentication

Fausta answered 5/7, 2018 at 6:0 Comment(4)
Thanks Dfor Tye. The third party service has given me a certificate that I need to present with all requests - should I just import this cert into the keystore I create using your instructions?Mabe
That's exactly what I was looking for! Thanks again.Mabe
This was very helpful to me, but I encountered a problem where an older Java-version by default creates a JKS-formatted keystore, instead of the desired PCKS12-format in this tutorial. I used ---> keytool -import -alias tomcat -file yourcertificate.crt -keystore keystore.p12 -storepass password -storetype PKCS12Siblee
2 Years and its still useful! Thanks!!Hebert

© 2022 - 2024 — McMap. All rights reserved.