Search code examples
springtomcatsslspring-boothttps

Adding .crt to Spring Boot to enable SSL

I have never done this before, and most of the tutorials do not mention how to deal with .crt files.

I bought an SSL certificate from GoDaddy, and selected Tomcat as a platform when downloading it. The zip file contained 3 files: 

dea08asdjakjawl.crt  
gd_bundle-g1-g1.crt  
gdig.crt.pem

I have a running Spring Boot application (on port 80 with an embedded Tomcat) on a CentOS7 server. (Server is running on Digital Ocean, it has an assigned domain, and works with simple http)

I would like to switch it to https://something.com

All the tutorials suggest that I must have a .jks or a .p12 file for that, but I wasn't able to convert the .crt files to that. Beside I am not sure which of the 2 .crt file is the one I should convert to .jks/.p12.

I have added this to my application.yaml, but didn't help:

server:    
  port: 443  
  ssl:  
    enabled: true  
    key-alias: server  
    key-store: "cert.crt"  
    key-store-password: "***"

How can I change my running Spring Boot project to accept HTTPS queries using this certificate?

Solution

  • So the correct procedure was the following:

    I had to recreate the CSR from scratch, using a Java Key Store instead.

    keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048

    Then a new CSR:

    keytool -certreq -alias mydomain -keystore KeyStore.jks -file mydomain.csr

    That had to be resent to the cert provider to generate a new .cer file. So they sent me back the mentioned 2 .cer files, the "bundle" one was the intermediate .cer, which I needed to add like this:

    keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks

    Then the actual "long-named" .cer file like this:

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore KeyStore.jks

    Then this is something which can be converted to p12 like this:

     keytool -importkeystore -srckeystore <MY_KEYSTORE.jks> -destkeystore <MY_FILE.p12> -srcstoretype JKS -deststoretype PKCS12 -deststorepass <PASSWORD_PKCS12> -srcalias <ALIAS_SRC> -destalias <ALIAS_DEST>

    Finally the application.properties needed extra lines and became something like this:

    server.port=443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=password
server.ssl.key-alias=domain
server.ssl.key-password=password

    And it is finally working.