Overview:

There are many Spring Boot security features that leverage the java.Security.KeyStore class, which is a management and storage facility for cryptographic keys and certificates. Two specific SpringBoot areas that use the KeyStore are Spring’s OAuth and embedded Tomcat packages and services:

  • org.springframework.security.oauth.* for SSL/TLS token key generation and validation
  • org.springframework.web.* embedded tomcat SSL/TLS communications, and others

Also, another external system that you may have encountered that relies on the Java KeyStore is ActiveMQ, as it is also a java service with heavy ties to the Spring Framework. For small dev environment stacks, an ActiveMQ message broker instance may ride along side your SpringBoot services, and they can all utilize the same “KeyStore” cryptography and certificate resources.

In many environments, a single (or many) “wildcard” certificate(s) may be issued by the organization to cover many sub-domains in one or many servers/virtual-machines and unify certificate management in the enterprise. For example db.mydomain.local and web01.mydomain.local are different sub-domains (under the same domain name) that can be covered by the same wildcard certificate. These certificates are commonly referred to as “star-certificates” or “star-certs” for short.  Wildcard certificates may also be deployed on groups of production virtual machines for the same reasons.

Another popular variation of the standard wildcard certificate are “Unified Communications Certificates (UCC)” or “Subject Alternate Names (SANs)” certificates  that can be applied to several dissimilar domain names. For example, www.domain1.com, www.domain2.com and www.domain2.net may be covered by the same UCC/SANs certificate.

Both wildcard and UCC/SANs certificates differ from singular certificates in that there is an associated “bundle trust” certificate file, typically named something similar to xxx-bundle.crt, that works in concert with the traditional internal private “.key” and public key “.crt” certificate files.

This article will describe how to leverage this same “star-cert” or UCC/SANs certificate to generate a Java KeyStore that can be used by your Java-Spring Framework stack. Yes, there are plenty of KeyStore articles … but this one focuses on generating it with the wild-card certificate key file collection and respective command parameters.

Prerequisites:

  • basic Linux admin command knowledge
  • You have privileges to access all files for the wild-card certificate (private key, public key crt, and the bundle files)
  • openssl is installed, this can be verified by typing openssl at the console.
  • Java is installed
  • A little bit of patience with the lengthy openssl commands
  • See disclaimer

Procedure:

    1. Create an ssl directory under your deployed spring boot java jar files
      (e.g. /opt/springboot/keystore )
    2. Copy the three (or more) certificate files to your new workling keystore directory.
      > You could store the myserver.key in another sub directory called private.
      > You could also symlink a directory to the existing key file locations to simplify mantenance in the future.
    3. At this point you have the paths to three certificate files. We will use the following example names:
      > myprivate.key
      > mypublic.crt
      > mybundle.crt
    4. Use openssl to export a bundled PKCS12 “springboot.pkcs12” file (arbitrary bundle file name) using the three certificate files, and give it an alias entry point name of “tomcat”. The PKCS12 seems to be the compatible key store method for spring boot.
      NOTE: The alias entry point name is also needed for setting up the spring boot application SSL configuration within the SpringBoot config/application.properties file (discussed in other articles). You will be prompted for a password after the following command; this will be required later too, so get ready:
      cd /opt/springboot/ssl
      openssl pkcs12 -export -out springboot.pkcs12 -inkey myprivate.key -in mypublic.crt -certfile mybundle.crt -name tomcat
    5. Use the java keytool utility to create a new “springboot.ks” key store (app-specific key store file name) seeded with the PKCS12 file we just created. If needed, you can also add new certificates later to this key store.You will be prompted for a password from the certificate export above, and a new password to use for the key store.
      cd /opt/springboot/ssl
      keytool -v -importkeystore -srckeystore springboot.pkcs12 -srcstoretype PKCS12 -destkeystore springboot.ks -deststoretype PKCS12
      

      At this point you should have your Java PKCS12 KeyStore created and ready.

    6. Using the KeyStore in SpringBoot application.properties

      Bringing it all together … SpringBoot will look for run-time application.properties file and other configuration files in the /config sub-directory under the SpringBoot executable jar file. If we adjust the SSL section of this /config/application.properties file accordingly with our new key store information, tomcat will publish on 443 with SSL/TLS certificate encryption based on your wildcard certificate.

      server.port=9001
       
      #------------------Tomcat SSL Properties------------------
      server.ssl.key-store=ssl/springboot.ks
      server.ssl.key-store-password=ITCERTPASSWORD
      server.ssl.key-store-type=PKCS12
      server.ssl.key-alias=tomcat
      server.ssl.enabled=true

       

      Yes, the openssl and keytool commands can seem a bit obscure and temperamental. I hope this relieves someone of the headache of research it took me. Thanks, and please like and link.  paulsDevBlog.End();