I have some questions about ssl in spring boot.
I have files certifications and private key with extension .crt and .key. how can I get from them right format for settings in spring boot like this
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat
To convert a certificate file and private key to PKCS#12(.p12) format, use the below command:
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Please go through the below links for your reference on dealing with https in spring boot.
Enable HTTPS in Spring Boot
Configure HTTP to HTTPS Redirection in Spring Boot
I found solution. I got keystore use this comand:
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out keystore.p12 -name <alias>
And added keystore into application.properies
#ssl
server.port=8443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
**server.ssl.key-store=keystore/keystore.p12**
server.ssl.key-store-password=password
server.ssl.key-alias=alias
It is correct config. When I use classpath:keystore.p12 it did not work. Maybe it cause that I work with spring boot 2. Then I created external folder and put inside keystore. Now it is working.
An alternative: if you don't have (or don't like?) OpenSSL, https://keystore-explorer.org/ (unlike keytool) can read privatekey+certs into any type of Java keystore (PKCS12, JCEKS, JKS, and more, but PKCS12 is usually best) with the "Import Key Pair" icon or menu item.
Related
How can I set system.properties of JMeter for mutual authentication? I have to set trustore and keystore but I have 3 pem file: ca.pem , cert.pem , privkey.pem. Is there a way to easily convert pem file in jks?
You can convert your PEM certificates into a .p12 keystore using OpenSSL tool like:
openssl pkcs12 -export -out jmeterkeystore.p12 -inkey privkey.pem -in cert.pem -CAfile ca.pem
Once done you can point JMeter to use the generated jmeterkeystore.p12 by adding the next lines to JMeter's system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/jmeterkeystore.p12
javax.net.ssl.keyStorePassword=your_keystore_password_here
Once you do this and restart JMeter you will be able to access the endpoints which require client certificates.
Another way to convert PEM files into a .JKS or .P12 keystore is using a GUI-based tool like KeyStore Explorer
I am new to JMeter, just started. I have a secure application and I downloaded the .pem file. I am confused(steps converting .pem to .cer or pk12) about how to use this for accessing the application. When I tried to convert .pem to pfx it is giving error saying either private key does not match or format is different. Can anyone help with a clear list of steps to follow to use JMeter for load testing the application?
Thanks in advance.
JMeter can only work with Java Keystores (either in JKS or PKCS12 formats) so you need to convert your .pem file into a Java Keystore.
You can do this either using OpenSSL command-line utility like:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem
Or if you prefer you can use a GUI-based took like Keystore Explorer
Once done you can configure JMeter to use this keystore by adding the next lines to system.properties file (lives in "bin" folder of your JMeter installation)
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/keystore.p12
javax.net.ssl.keyStorePassword=your_keystore_password_here
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
I am new to SSL setup, please excuse me if my question is wrong.
I have deployed a Spring Boot application on AWS EC2 (Windows) instance with bunch of restful services, exposed through public IP address (AWS), i am able to access them publicly(http). I want to SSL(https) them now. I am in process of purchasing certificate, in one of the steps to setup, they have given these lines to validate a text file, is anyone aware of this ? Can you please suggest where i need to create ./well-known/pki-validation folder on my Spring Boot application(Tomcat) ?
The issuing vendor will provide you with a simple text-based file to place in sub-folders /.well-known/pki-validation/ in your site’s "home directory". If done properly, the vendor can view this file via HTTP:// and then issue the certificate upon confirmation.
1 Install certboot in the server.
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto --help
2 Obtain the certificate
In order to obtain the certificate you need to expose trough the server certain files. I do that using the target folder of spring boot tomcat.
./certbot-auto certonly --webroot -w {SpringBootProjectDir}/target/classes/static/ -d {yourDomain.com}
This command obtains the certificates and leaves them in:
/etc/letsencrypt/live/{yourDomain.com}/
Tomcat can't read the certificate provided since its not in p12 format. We have to generate the cert in this format. Use this command
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/{yourDomain.com}/fullchain.pem -inkey /etc/letsencrypt/live/{yourDomain.com}/privkey.pem -out /etc/letsencrypt/live/{yourDomain.com}/keystore.p12 -name tomcat -CAfile /etc/letsencrypt/live/{yourDomain.com}/chain.pem -caname root
It will ask you a password. Keep the password.
3 Configure the server
server.port=443
server.ssl.enabled=true
server.ssl.key-store: /etc/letsencrypt/live/{yourDomain.com}/keystore.p12
server.ssl.key-store-password: {password}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
Restart the server and Thats it!
By default setting up Solr on Https requires storing the certificate password as plain text in "bin\solr.in.cmd" (using windows to host solr)
And the certificate password is exposed in the portal.
How can I configure Solr with a Https certificate keeping the certificate password safe?
I want to use a private certifcate so the client trusts the certificate by default, rather than a self signed one.
I'm connecting via SolrNet from C#, currently without authentiation, but in the future can look at Basic Authentication which is supported in the provider which wraps SolrNet.
Seems like a basic thing which I would have thought should be supported? Can't find any article/documention on this.
Anyone solved this already?
Nearest I've found is:
Setting SOLR SSL properties
http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html
Some suggestion of using jetty-https.xml and encrypt the configuration there.
Looking for a more complete answer.
update
I've come across the following Solr tickets:
https://issues.apache.org/jira/browse/SOLR-10307
https://issues.apache.org/jira/browse/SOLR-8897
Where support for loading the certificate passwords from environment variables has been added in Solr 7.0 and 6.7 (which hasn't been released yet).
I don't think using environment variables is much better, but some progress.
There is also a link to using Hadoop credential provider, but I'm not using Hadoop, so not applicable for me.
In the comments of the tickets, it mentions that someone tried the Jetty Password Utility, and Solr UI loaded over HTTPS. However the Collection API was erroring not being able to understand the password format.
So I'm still left without a way of configuring a certificate password for Solr, in a way I feel is secure.
For me the certificate password is not stored on the SOLR portal
see my setup
SSL
cd /path/to/solr/server/etc/
The following command will create a keystore file named solr-ssl.keystore.jks in the current directory
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:#ipsolr,IP:127.0.0.1 -dname "CN=localhost, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx"
Convert the certificate and key to PEM format for use with Curl
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Next convert the PKCS12 format keystore into PEM format using the openssl
openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
After go to your $JAVA_HOME (into jre/lib/security)
curl --cacert /pah/to/solr/server/etc/solr-ssl.pem https://localhost:8983/solr/
Set Common SSL-Related System Properties
vi /etc/default/solr.in.sh
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
Restart solr
service solr restart
For authentication
create security.json on SOLR_HOME (/var/solr/data/ for me)
Owner : root
See example of security.json to configure has you hope
After securing, add into solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:xxx"
it allows to have an answer on solr status service because with authentication it is not accessible
For me it's work and i don't see the certificate password on solr UI
All I get is javax.net.ssl.SSLHandshakeException: no cipher suites in common.
This is how to reproduce the behavior:
go to http://start.spring.io and add "Reactive Web" as dependency for Spring 2.0.1
unpack the archive
run keytool -genkeypair -keystore demo/src/main/resources/keystore.jks
Choose a password
Hit return as long as [Unknown] is the default, enter Yes when asked if CN=Unknown, OU=Unknown, ... is correct.
Use the same password for the key as for the keystore
add the following to application.properties
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=<my-secure-pwd>
build and run the application
run curl https://localhost:8080
This is my first time adding SSL to a Spring Boot application and I think that something must be wrong - but I've no idea what. Maybe anyone of you could provide some help? Thanks!
Ok, turns out that you need to set the key algorithm to RSA in order to make this work.
keytool -genkeypair -keyalg RSA -keystore src/main/resources/keystore.jks