Introduction
In this example I am going to show you how to start your spring boot application on HTTPS protocol. HTTPS is a secured protocol, whereas HTTP is unsecured protocol. So the data passed over the network using HTTPS protocol are generally encrypted data.
The application which I am going to build is in the local environment and for this local environment I will use self-signed certificate. The self-signed certificate will be generated by the keytool which is already available in the JDK itself and you don’t need to use any external software.
The self-signed certificate will not be trusted by the browser even when you use HTTPS instead of HTTP protocol at first sight. So I will also show you how to let your browser trust your self-signed certificate.
Related Posts:
Prerequisites
Java 1.8+, Maven 3.8.2, Spring Boot 2.5.4
Project Setup
You can create maven based project in your favorite IDE or tool. The name of the project is spring-boot-application-https.
You can use the following pom.xml file which has the required dependencies.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.roytuts</groupId>
<artifactId>spring-boot-application-https</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.4</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Rest Controller
This is simple REST controller that publishes an endpoint to return a simple welcome message. I will test this endpoint both over HTTP and HTTPS protocols.
@RestController
@SpringBootApplication
public class SpringHttpsApp {
public static void main(String[] args) {
SpringApplication.run(SpringHttpsApp.class, args);
}
@GetMapping("/")
public ResponseEntity<String> home() {
return new ResponseEntity<String>("Welcome to self-certificate https site", HttpStatus.OK);
}
}
Testing the Application
When you hit the URL http://localhost:8080 in the browser, you will see the following page by clicking on the info icon.
So your site is not secure as it is running over HTTP protocol. Now I will show you how to use self-signed certificate to secure your site.
Generate Self-Signed Certificate using Java Keytool
Genrate self-signed certificate using Java keytool
command:
keytool -genkeypair -alias selfsigned -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore ssl.p12 -validity 3650 -ext san=dns:localhost
If you want to set password at the time of generating certificate then you can put storepass option:
keytool -genkeypair -alias selfsigned -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore ssl.p12 -storepass changeit –validity 3650 -ext san=dns:localhost
Arguments in the keytool:
genkeypair
: generates a key pair
alias
: alias of the key pair that uniquely identifies the certificate
keyalgo
: algorithm used for generating key pair in the certificate
keysize
: size of the key in certificate
storetype
: type of the key pair stored in the certifivcate
keystore
: the name of the certificate file
storepass
: password used for the certificate
validity
: the certificate will be valid for so many days from now
ext san=dns
: includes an X.509 extension for Subject Alternate Name (SAN). Certificate will be trusted by the browser
The certificate file ssl.p12 gets generated under eclipse_workspace. You can generate the certificate at any location. You can also use genkey
instead of genkeypair
for generating certificate.
Now copy the ssl.p12 certificate and put it under src/main/resources class path folder.
Config File – application.properties
Now configure the SSL certificate in src/main/resources/application.properties file:
server.port=8443
server.ssl.enabled=true
server.ssl.key-alias=selfsigned
server.ssl.key-store=classpath:ssl.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=changeit
The port for the application is 8443, SSL has been enabled, key alias specified, certificate path specified, certificate type specified and password for certificate has been specified.
Testing the Application
Now restart your application your server will start on port 8443 as shown in the following log:
INFO 21280 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8443 (https) with context path ''
If you try to access the URL over HTTP – http://localhost:8443, then you will see the following error message:
The above page is shown in the Chrome browser and the self-signed certificate is not trusted by the browser.
You can click on Advanced and click on Proceed to localhost (unsafe):
And you will see the following output:
But still, it is showing Not secure for the URL in the browser.
Install Self-Signed Certificate in Chrome
Now I will install this self-signed certificate in the Chrome browser.
In the address bar, click on the red warning triangle and “Not secure” message and, from the resulting menu, select “Certificate” to show the certificate.
In the window that pops up, select the “Details” tab (immediately to the right of “General” tab), and click on the “Copy to File…” at the bottom right of the tab.
This launches the Certificate Export Wizard; click “Next” at the bottom, which takes you to a radio-button dialogue for selecting the format. Leave the default “DER encoded binary X.509 (.CER)” and click Next again.
Use the “Browse…” button to select a filename Documents (or wherever you’d like to leave the exported cert) and remember the name and path. Click “Next” to export the cert and then “Finish“.
You will see the successful message:
Next open the Chrome settings page, scroll to the bottom, and expand the “Advanced” section; in the “Privacy and security” panel, click on Security and again click on the “Manage certificates” area.
In the pop-up “Certificates” window, select the “Trusted Root Certification Authorities” tab, and click on the “Import…” button; this will launch the Certificate Import Wizard.
Click “Next” and, on the next page, select “Browse…” and use the explorer window to locate the certificate you exported earlier.
Click “Next” again, then “Finish“, and, in the “Security Warning” pop-up, click on “Yes“; you should see yet another pop-up letting you know that the import was successful.
Testing the Application
Restart Chrome, and navigate to the webpage again; this time you should see the closed padlock and “Secure” annotation to the left of the URL.
Now hit the URL https://localhost:8443 in the Chrome browser, you will see the red padlock gone away and clicking on the closed padlock will show you secure connection.
That’s all about how to configure Spring Boot applications over HTTPS protocol.