How to setup a client/server certificate in Spring Boot and how to create a self signed certificate for development. The certificates are generated and signed with a minimum set of tools, the bare minimum is the JDK tools only.
This example will work for local development and server testing. If you have an internal CA these certificates can also be used for production but that setup is up to you. The Spring Boot application itself will be configured the same way, it is just the trusting and signing of the certificates that will differ.
This is mainly a setup for Jetty. Tomcat requires your certificates to be "trusted" and therefore the setup is a little bit different.
Certificate generation is influenced by lightbend's Nginx setup.
- keytool, distributed with the JDK
- Openssl to generate passwords. Can be replaced for less dependencies by flipping the two lines of password generation in the top of the scripts.
- Edit the environment variables in the top of the script x509server_process.sh if needed
- Edit the environment variables in the top of the script x509client_process.sh
- Execute the x509server_process.sh script
- Execute the x509client_process.sh script
- Copy the
server name CAandserver nameJKS-files to your src/main/resources folder. If you did not change script variables:
mv -f mysecuredserver*.jks src/main/resources/- Copy the
client.jksfile to your client's src/main/resources. In this example a Junit test acts as a client and theclient.jksis moved to src/test/resources to make it work.
mv -f client.jks src/test/resources/- Take the password in the file
password_server_mysecuredserverand updateapplication.propertiespasswords.
Spring Boot will add all things needed if you add the spring-boot-starter-security dependency to the pom.xml.
Update application.properties with correct password taken from the password file generated by the server script. Also make sure your JKS file names are correct and match the files you copied to the resources folder.
Implement a WebSecurityConfigurerAdapter, in this example it is added as a
WebSecurityConfig.java.
Now, all your end points require a client certificate upon requests
The Junit test and its helper class are using the Apache Http Client library for simplicity.
If you created new certificates the helper class must be updated with the password taken from the password_client file that the client script generated.
Now be happy panda!