SSL (Secure Socket Layer) is a protocol used to establish a secure encrypted connection between a server and a client in a network(internet or intranet). Sensitive information can be transmitted securely over an SSL connection.
An SSL connection is established by a process called SSL Handshake. The SSL handshake process uses files called SSL certificates, which are installed on the server and the client applications. An SSL handshake can be of 2 types – 1-Way and 2-Way(Mutual). In 1-way SSL, the server’s certificate is verified by the client. In 2-way (Mutual) SSL, the server’s certificate is verified by the client and the client’s certificate is verified by the server.
1. Steps to create an SSL certificate using OpenSSL(a command line tool):
[The below steps (1.1 through 1.4) outline the process of creating an SSL certificate on a server. The same steps should be followed to create the SSL certificate on the client side.]
1.1 Generate a private key using the genrsa command:
openssl genrsa -des3 -out server.key 2048
This command creates a 2048 bit(recommended) private key using RSA cryptosystem. Including the des3 parameter causes openSSL to prompt the user to enter a passphrase(recommended).
1.2. Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
This command creates a CSR file, which is an encoded text file containing the public key and information identifying the requester. Please note that the CN(Common Name)specified while creating the CSR should match the domain(and the subdomain) of the server where the SSL certificate will be eventually installed.
The CSR file should be submitted to a SSL certificate issuer called CA(CertificateAuthority). The private key should NOT be shared with the CA (or anyone else). The
CA independently verifies the information specified in the CSR and issues a digitally signed SSL certificate.
1.3. The CSR can be ‘self-signed’, instead of having a CA sign it. Self-signed
certificates are NOT recommended in production environment. While accessing a website which uses a self-signed certificate, most browsers display a warning message. The following command is used to self-sign a CSR.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
1.4. Convert the SSL certificate file from .crt to .pem format before transmitting it to client
The SSL certificate issued by the CA is usually in the PEM format. The PEM(PrivacyEnhanced Mail) format is the secure way of sharing/transmitting SSL certificates over email. A .cert file are blocked by some email service providers. If the SSL certificate is in .crt format (like the self-signed certificate generated in the previous step), it can be converted into .pem format using the following command before sharing it with clients.
openssl x509 -in server.crt -out server.pem -outform PEM
2. Steps to install the signed SSL certificate in the keystore.
[The below steps (2.1 through 2.3) outline the process of installing the server SSL certificate in the server’s keystore. Same steps should be followed to install the client SSL certificate on the client keystore]
2.1: Concatenate ssl client certificate(.pem) and client private key(.key) into one PEM file
cat server.pem server.key > server.fullchain.pem
2.2: Generate the PKCS12 keystore with the alias of the server url
openssl pkcs12 -export -in server.fullchain.pem -out server.fullchain.p12 -name server-cert -noiter -nomaciter
This command will first prompt for the server.key passphrase. Enter the passphrase specified in step(1) Next, it will prompt for the export password. Remember the new password specified here. It’ll be required in the next step(2.3)
2.3 Convert .p12 file to .jks keystore format.
keytool -importkeystore -srckeystore client.fullchain.p12 -srcstoretype pkcs12 -srcalias client-cert -srcstorepass <export_password_specified_in_step_2.2> -destkeystore mykeystore.jks -deststoretype jks -deststorepass mykeystorepass -destalias client-cert -destkeypass keypass
3. Steps to install the signed SSL certificate in the truststore.
3.1. Convert the SSL certificate from .pem to .crt format
openssl x509 -outform der -in server.pem -out server.crt
3.2. Import the server SSL certificate in the client’s truststore
keytool -import -alias servercert -file server.crt -keypass serverkeypass -keystore mytruststore.jks -storepass mytruststorepass
4. Configuration on the Server application (Spring Boot Application)
security.require-ssl=true
server.ssl.key-store-type=JKS
server.ssl.key-store=classpath:serverkeystore/mykeystore.jks
server.ssl.key-store-password=<password>
server.ssl.client-auth=need
server.ssl.trust-store-password=<password>
server.ssl.trust-store=classpath:serverkeystore/mytruststore.jks
5. Configuration on the Client application (Spring Boot Application)
@Bean
public RestTemplate restTemplate(RestTemplateBuilder builder) throws KeyManagementException,
UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
SSLContext sslContext =
org.apache.http.ssl.SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile("classpath:mykeystore.jks"),
"mykeystorepass".toCharArray(), "keypass".toCharArray())
.loadTrustMaterial(ResourceUtils.getFile("classpath:mytruststore.jks"),
"mytruststorepass".toCharArray()).build();
HttpClient client = HttpClients.custom().setSslcontext(sslContext).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(client);
return new RestTemplate(requestFactory);
}
String url = "https://<machine-name>:9092/rest/user/userprofile";
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
HttpEntity<String> request = new HttpEntity<String>(headers);
ResponseEntity<String> resp = restTemplate.exchange(url, HttpMethod.GET, request, String.class);
System.out.println("Post Response:" + resp.getBody());
