Contents
In this article we secure our Spring Boot application with HTTPS. First of all we become familiar with TLS/SSL briefly. Then we see how we can generate a self-signed certificate and secure a simple Spring Boot application. We call this project Spring Boot HTTPS Seed and you can grab the code from my Github.
Remark!
Self-signed certificates are just for development and testing purposes. For your application, you need to have valid, legitimate certificate. You can read my other post about Let’s Encrypt to see how you can easily have one for free.
HTTPS Overview
In nutshell, HTTPS aims at securing and encrypting the data connection over HTTP protocol using Transport Layer Security (TLS) or Secure Socket Layer (SSL). This protocol ensure data integrity and data confidentiality.
Data integrity prevents third parties from tampering the data packets over the secured channel. In other words, no one can manipulate the data on the way to each of the endpoints. By confidentiality, it ensures the identity of the both endpoints: source and destination.
Secure channel is typically a bi-directional encrypted communication with symmetric encryption algorithm (e.g. AES). HTTPS basically has 2 main processes: Handshake and secure communication.
In the process of handshake (happens just before creation of a session), both parties negotiate on encryption algorithm and the most importantly a session key (also called Master Key). The session key is a secret key used in encryption of the secure channel in the course of this session.
Web server owns a pair of keys: Public and Private keys. Public key is used to encrypt a data and Private key is used to decrypt it. In addition, Private key is used to sign a piece of data and Public key is used to verify the signature.
Web servers ask trusted certificated authorities (CA) for issuing a certificate based on their public keys. Then CA’s (or a chain of CA’s) issue a certificate signed by their keys. Web servers use this certificate during the handshake process before initiation of the main secure session. Since we use trusted CA’s which are known to users (e.g. within browsers), they can verify the identity and correctness of the web servers by checking the certificate and signature of the issuer.
HTTPS Setup
Self-signed Certificate
For development purposes developers tend to use self-signed certificates as it’s produceable in local computer without any CA’s involved (usually CA’s do not function for free). These types of certificates are inappropriate for production setup and can be simply replaced by a valid certificate issued by a trusted CA. In other words, when you deploy your HTTPS using these certificates, browsers won’t be happy and show you an scary page like this:
We can use several tools like OpenSSL, Keytool, etc. to generate a self-signed certificate. This is how we generate a key store (key bag) with keytool:
|
1 2 3 4 5 6 7 |
$ keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 4000 |
As you can see, we store the keys using PKCS #12 which is like a collection of keys such as private keys and public key certifications. We can look inside our generated keystore (keystore.p12) with OpenSSL.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
$ openssl pkcs12 -info -in keystore.p12 Enter Import Password: MAC Iteration 1024 MAC verified OK PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024 Bag Attributes friendlyName: tomcat localKeyID: 54 69 6D 65 20 31 34 35 33 35 39 33 31 30 39 39 39 31 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,06FA0016D40E6AED 3UHly2DhgoH2VS7fDsyKTDi6+WvJhP2yT4/sKHMyzDfiwTmMr4ToZWIw86LzvpDT SyGbpm1ZqowTUrg/c9VxQwEBK22KfxS9VCp6X0fo+GyvPgPg/GSVpwh5JE0zLqX/ nlr7ExRUBFlS+R87URdWIrYsb5OTSuXAkKFHJ7LiIRyaw/j2LOUFpt8dG1lvyzq1 QHbOxNPsi8K526RerWadY4orXV94qccC31XarAcJ32u89u7V7kpJs7WGR0NfkKGc Hsxl3AfB14tiaV4+j9reXxmu55XZ9XZkyS3+gbiaYFySDBjYHp/hh/xhXcvt3G8L IUNKmK651LQZs/aNLUEi/H5YU0FDgkUajl4Q2tkR5aUwuis974GPiRLdbCG8Dojh NpJAXJw7Bg+EyEY2Y1P2jU6YmvHHYOOLD8FE1PpJ51QLB189L7Z/xuoxHZ/zW7UH xjcBWzxYEXhgHPz3xVq0DquGGgauAoQ2W0uqgcY0UgWUke35S6hAcgHik+kW9RzK uIXTg87ZtCBtMR465OpKr7paKf3j85wRdKH9Z1LRmNgCsF1LuvgrZLX2hTlkLEOc dwSXUlSvtSfedl/OOPFjpff7cLohBBaCuxExD2fNY09Gsl4S4dlpyzE0iBz1By6A F6qi884AP4ljYjv11WKQM+l0mBDoGxTTn2yky1AP8NMdeBR4dJbrDIwji4Kk+BWP nR7t0fh++kbuT/zySGnkgNmGUfpT3CnxuSb/N5dicwDlZTQp0euM7dTJq9SnGk8b DiqFE4zPlejZg4Cu+725T2gFV2WukcbSZ+N6065t14ga0uQwK3RNQuDFkSgtZsvP Pwj5PBrwOtU6epu/WqxYJvZYu8/XqfXsq9UIsKUkY0IAoXCn4H8ymrgh+MVAj4RH u0u8fcRZUK3GOzFE2ei43fEUvoHkBEgUC9TDuW4Z1+q29sEfyA8mCs5cXNshzUqQ ztRrw1MpFE8A+NIdQrdF0kRyTcwv0YLpUhf3IzqhOvZ+4g9CqxZCcarkzxH+if7z i2dDS+IrgejKqcXu1pJKBPJ4770cJIleMlJuNAFmcjNtXqMHr2uRKWuixH57zr85 qFvAj2XzWVn9c5SkETaChfWMo7GLEii3Xh8H7HjscYbMcQGixRgkCazlfsUk6MVn ZB04U0Yw/qCOF5OBRLg9/YWwjKgV1L18WS53+JrdXuCRxlEHYGt5bMC0A7hu3N3G W87vnY9/GtCvxqLAw/emJ+SZJgvpQuQhMSPWxhDsM1YZXHKVccdXZU8aH/8Lwr5o XvMcXPpritWLNJOWVF4DvXefNj/PCjEGydWE0HNjoAJlbPdI3mPilvpFQjPvShCV xnWsITxp5N1hKIhrLOn306Cj32Q57xdDSMI3gJwN9RykFV2BAgY5KfuDcoJGCOJe wjwK8Ts9QK+GQgrSaAizY5N1LtdWroZ4chq2sTq/pKgiqko7HSo3QtYbsP1zwoQF gooo1u3f0cbPsfBnhU6Rrs82WDdz0nGLcze6fNX69hFebSBMXm8Udey+KiKNYh2A dnLKjDksdsgaorF2kosqNhqZKb6t6L74EErvKua5DXWsNMGmYrUbzcQQk/zihtSk -----END RSA PRIVATE KEY----- PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024 Certificate bag Bag Attributes friendlyName: tomcat localKeyID: 54 69 6D 65 20 31 34 35 33 35 39 33 31 30 39 39 39 31 subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEbfO60TANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdV bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3du MB4XDTE2MDEyMzIzNTE0OVoXDTI2MDEyMDIzNTE0OVowbDEQMA4GA1UEBhMHVW5r bm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UE ChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMtd26aQ5EMZJjq7AxOV41nM IC+NeQt543edNJsmTJrE+HvTSP/ZgNfr1ZuXOZYjR+UimdhLy5qo8wppAaNnp08L uo5GOk41gaK3bq/bWs+gaKoBs+mixsprXpcCdSU/AVA1efXHEUnBBemLiJJW92FY xpzfvP1U5NBd5+Y57lsye6tFy0HOuqv5yl4ncbt+OtGjfa0ilm5dTKrHpWB5JCWD p4WGcb9IcRpYDeJSKGljhdB3lW2N79CR+Q3+C6f9M5pIb0RWofQkjMmRbQsX9zGM OIEYXmB/KbPstiOVoslVJG1ScHTc0A7raCavKaMx4SlSOgv2x/ioD0h4nihlngsC AwEAAaMhMB8wHQYDVR0OBBYEFMqvMGiiaOOo8vsO6pqpCoCoSd7GMA0GCSqGSIb3 DQEBCwUAA4IBAQC0Mo4rm4f10wKLRusR8fUybyWtWH4WLCq0Sb6qy2WVcKBG89PV Nw3U4NKku4mZFXBFfBkgjzzSsE1tp1VGJcrH/smahchN/uk4b7+MAxuaPaHII1Fo dsOqNIlhmUmx0NQUgtM+Nrxp70IWEQMFmd2yleKIdoIVAANTP9M3R4a3OoMRCteH nC5wlGYExe71sWbmey8uGnW5mJJIvcU+uzis42xAwOAdZE0zMfsYafDP820GBXCX PcF3dJcQQamBvbpa9feeoc1e0IoHNxN17Cwxt+FBwOloN9562BGegL1t6+TpSJoH jWtoojrfYdasTCGefwQl8YMl21sVKKJGbESW -----END CERTIFICATE----- |
Spring Boot application
We can use the hello world example of Spring documentation for this purpose or any other Spring Boot application. You can find our example here.
How to setup HTTPS in Spring Boot Application
You should copy your generated keysoter.p12 to the root of the application or to your desired folder in your operating system. Then you open the “application.properties” file in your Spring boot (located in ‘resources’ folder).
|
1 2 3 4 5 |
server.port: 8443 server.ssl.key-store: keybag.p12 server.ssl.key-store-password: 123456 server.ssl.keyStoreType: PKCS12 server.ssl.keyAlias: tomcat |
Surprisingly if you restart your Spring Boot application, you can access “https://127.0.0.1:8443/hello”. As simple as that!
To sum up what we have done so far, we’ve become briefly familiar with TLS and HTTPS protocols. Then we generated a self-signed certificate for development purposes. Afterwards, we modified the hello world example of Spring Boot and created a HTTPS secured application which can be a seed project for your projects.
Our story is not yet over. Configuring a tomcat server to support HTTPS and having an encrypted channel does not necessarily bring security and safety to your application. There are set of tools (a summary of them) to assess your TLS configuration. In upcomming articles we will take a look at fine tuning our configuration in Spring Boot and tomcat to get A+ HTTPS degree by assessment tools in general, SSLabs in specific.
In addition we may take a look at the new public CA called Let’s Encrypt which aims at serving its services for free, automated and open for everyone in order to bring HTTPS to the whole web.
Update: If you want to know about certificate generation by Let’s Encrypt and how to integrate it with Spring Boot, read my new article: Spring Boot Application Secured by Let’s Encrypt Certificate.
References and further materials
by 
Really good article. Looking forward to read how to configure HTTPS for Spring Boot using Let’s Encrypt, specially under AWS EC2 scenario!
Pedro, thanks for your interest in this article. I finally wrote something about Let’s Encrypt and Spring boot. You can read it here: https://www.heydari.be/spring-boot-application-secured-by-a-lets-encrypt-certificate/
hi
it’s wrote somewhere PKCS7 and some other place PKCS12
is it normal
Nice catch! I didn’t see it before. I don’t have deep knowledge about internals of OpenSSL. Generally that works correctly with Spring as well as OpenSSL. I even have a valid certificate(Let’s Encrypt) and it works nicely (https://Seeld.eu).
I am also curious to know why; so I may create a StackOverflow question.
Hi…Great article ..thank you..
Browser does not trust the self sign certificate then how “https://127.0.0.1:8443/hello” works.
Can you elaborate how handshake proess is happening in sprng boot as we dont know the certificate of client.