Example created in Windows environment so possibly changes requires running in other platform. docker.sh winpty is for windows docker to run with -i flag
To create CA signed certificate you can follow tutorials in WWW
Azure example 1
Azure example 2
Run run.sh
Or
create certs folder
mkdir certs
cd certs
Generating server self-signed certificate for localhost
keytool -keystore serverkeystore.jks -alias testserver -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassserver -storepass ishallpassserver -ext san=dns:localhost,ip:127.0.0.1
Generating client self-signed certificate
keytool -keystore clientkeystore.jks -alias clientKey -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassclient -storepass ishallpassclient
Export servers key public part
keytool -export -alias testserver -keystore serverkeystore.jks -file testserver.crt -keypass ishallpassserver -storepass ishallpassserver
Import exported servers .crt to client keystore
keytool -keystore clientkeystore.jks -import -alias testserver -file testserver.crt -trustcacerts -keypass ishallpassserver -storepass ishallpassclient -noprompt
Export clients key public part to .crt
keytool -export -alias clientKey -keystore clientkeystore.jks -file testclient.crt -keypass ishallpassclient -storepass ishallpassclient
In some cases there is issue when server requires its own CA in it's truststore, not this case.
Creating truststore from client .crt
keytool -import -alias clientAlias -file testclient.crt -keystore servertruststore.jks -storepass ishallpasstruststore -noprompt
View client .jks
keytool -list -v -keystore clientkeystore.jks -storepass ishallpassclient
Delete alias
keytool -delete -alias testserver -keystore clientkeystore.jks -storepass ishallpassclient
Changes alias
keytool -changealias -alias "testserver" -destalias "testserverChanged" -keystore serverkeystore.jks -keypass ishallpassserver -storepass ishallpassserver
You can allow use of https://127.0.0.1:8080/ping api from browser, if property set server.ssl.client-auth=want
Run cert.sh for generating localhost demo certificates
Run jar.sh to compile & extract .jar for docker image
Run docker.sh to create Docker image and run docker container
Run: docker-compose.
docker-compose -p test up --force-recreate --build
Make sure cert ext flag ip set correctly
To change certs in container
docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"