Skip to content

Latest commit

 

History

History
64 lines (43 loc) · 3.17 KB

README.md

File metadata and controls

64 lines (43 loc) · 3.17 KB

Spring Boot Server - client tls

Reactive Ping-pong with two-way ssl

Example created in Windows environment so possibly changes requires running in other platform. docker.sh winpty is for windows docker to run with -i flag

To create CA signed certificate you can follow tutorials in WWW
Azure example 1
Azure example 2

Self-signed certificate with java keytool for .jks

Run run.sh

Or
create certs folder
mkdir certs
cd certs

Generating server self-signed certificate for localhost
keytool -keystore serverkeystore.jks -alias testserver -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassserver -storepass ishallpassserver -ext san=dns:localhost,ip:127.0.0.1

Generating client self-signed certificate
keytool -keystore clientkeystore.jks -alias clientKey -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassclient -storepass ishallpassclient

Export servers key public part
keytool -export -alias testserver -keystore serverkeystore.jks -file testserver.crt -keypass ishallpassserver -storepass ishallpassserver

Import exported servers .crt to client keystore
keytool -keystore clientkeystore.jks -import -alias testserver -file testserver.crt -trustcacerts -keypass ishallpassserver -storepass ishallpassclient -noprompt

For two-way ssl

Export clients key public part to .crt

keytool -export -alias clientKey -keystore clientkeystore.jks -file testclient.crt -keypass ishallpassclient -storepass ishallpassclient

In some cases there is issue when server requires its own CA in it's truststore, not this case.

Creating truststore from client .crt
keytool -import -alias clientAlias -file testclient.crt -keystore servertruststore.jks -storepass ishallpasstruststore -noprompt

Other

View client .jks
keytool -list -v -keystore clientkeystore.jks -storepass ishallpassclient

Delete alias
keytool -delete -alias testserver -keystore clientkeystore.jks -storepass ishallpassclient

Changes alias
keytool -changealias -alias "testserver" -destalias "testserverChanged" -keystore serverkeystore.jks -keypass ishallpassserver -storepass ishallpassserver

You can allow use of https://127.0.0.1:8080/ping api from browser, if property set server.ssl.client-auth=want

Run cert.sh for generating localhost demo certificates
Run jar.sh to compile & extract .jar for docker image
Run docker.sh to create Docker image and run docker container
Run: docker-compose.
docker-compose -p test up --force-recreate --build
Make sure cert ext flag ip set correctly

To change certs in container
docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"