Spring Boot-使用CA证书启用SSL(HTTPS) [英] Spring Boot - Enable SSL (HTTPS) with CA certificate
问题描述
也许我会在这里找到帮助.我想在Spring Boot应用程序上启用SSL.我有一个类似的配置:
Maybe I will find help here. I want to enable SSL on Spring Boot application. I have a configuration like:
服务器:端口:8999 ssl:已启用:true密钥库:classpath:keystore.jks密钥库密码:mypass密码:mypass
server: port: 8999 ssl: enabled: true key-store: classpath:keystore.jks key-store-password: mypass key-password: mypass
问题是我的密钥库.我已将* crt文件导入别名为"tomcat"的密钥库中:
The problem is my keystore. I've imported *crt file into keystore with alias 'tomcat':
keytool -importcert -file certificate.crt -keystore native.jks -alias tomcat
但是,我仍然无法正确访问我的rest api.它会在firefox中吐出错误:
However, I still can't properly access my rest api. It vomits with error in firefox:
SSL_ERROR_RX_RECORD_TOO_LONG
SSL_ERROR_RX_RECORD_TOO_LONG
- 它不起作用.如何制作适当的密钥库以使其正常工作?我正在颁发CA证书,而不是自签证书.我有以下文件:
- https://www.baeldung.com/spring-boot-https-self-signed-certificate
- https://mkyong.com/spring-boot/spring-boot-ssl-https-examples/
- https://dzone.com/articles/how-to-enable-the-https-into-spring-boot-applicati
- 请注意,我之所以选择遵循他们的AWS指导,是因为我是AWS用户,并且拥有一台EC2服务器,该服务器已经可以在服务器上安装OpenSSL和Java.还有许多其他替代方法可以执行相同的步骤,因此请进一步搜索以找到适合您的生成CSR"说明.
Note that I opted to follow their AWS instructions because I am an AWS user and have an EC2 server readily available with OpenSSL and Java already installed on the server. There are lots of other alternatives to do the same procedure, so search further to find the 'generating a CSR' instructions that are right for you.
在此步骤的最后,我有以下两个文件:
At the end of this step, I have the following two files:
-
csr.pem
-用作SSL证书请求/激活过程的一部分 -
private.key
-这是我的SSL证书的私钥部分,稍后我将需要在服务器上安装该证书.保持秘密.确保安全.
csr.pem
- This is used as part of the SSL cert request/activation processprivate.key
- This is the private key part of my SSL cert, which I will need later to install the cert on my servers. Keep it secret. Keep it safe.
在完成SSL证书的购买和验证过程后,CA向我发回了一个包含.p7b,.crt和.ca-bundle文件的.zip文件.
After I completed the purchase and verification procedure for my SSL cert, the CA sent me back a .zip file that contained a .p7b, .crt, and .ca-bundle file.
下面的参考链接之一解释了这些证书文件类型之间的区别:
One of the reference links below explains the difference between these certificate file types:
-
.p7b
-此类型应与基于Java的应用程序(PKCS#7格式)兼容 -
.crt
-此类型应与大多数其他文件兼容-上面的链接表明这是PEM格式 -
.ca-bundle
-不知道何时使用它-上面的链接表明这是PEM格式
.p7b
- This type should be compatible with Java-based applications (PKCS#7 format).crt
- This type should be compatible with most everything else - the link above suggests this is PEM format.ca-bundle
- Not sure when to use this - the link above suggests this is PEM format
参考:
下一步,我需要弄清楚如何使用上面列出的文件为HTTPS配置Spring Boot应用程序.
Next I need to figure out how to use the files that I listed above to configure my Spring Boot application for HTTPS.
我将按照以下教程的相关部分来获得所需的内容:
I will follow the relevant parts of the below tutorials to get what I need:
- https://www.baeldung.com/spring-boot-https-self-signed-certificate
- https://www.baeldung.com/x-509-authentication-in-spring-security
注意:在这两个教程中,由于我已经拥有由真实CA颁发的真实证书,因此我将不遵循它们创建自签名证书的章节.
他们说明中的第一个相关步骤是创建一个新的Java密钥库.要求是:
The first relevant step in their instructions is to create a new Java keystore. The requirements are:
- 必须安装Java,因此我可以使用"keytool"实用程序
- 必须安装"openssl"实用程序,因此我可以使用.key和.p7b文件作为输入来创建.p12文件
我将使用我的AWS EC2 Linux服务器执行此操作.我的服务器已经安装了Java/keytool和OpenSSL实用程序.首先,我需要使用OpenSSL实用程序创建一个.p12文件(如果我理解正确的话),该文件将同时包含两个私钥和CA颁发的证书.其次,我需要创建一个新的Java密钥库,其中将包含一个导入的.p12文件的副本.
I will use my AWS EC2 Linux server to do this. My server already has the Java/keytool and OpenSSL utilities installed. First I need to use the OpenSSL utility to create a .p12 file that (if I understand correctly) will contain both my private key, and the CA-issue certificate. Second, I need to create a new Java keystore that will contain an imported copy of the .p12 file.
-
openssl pkcs12 -export -out jimtough-dot-org.p12-名称"jimtough-dot-org";-inkey private.key -in __jimtough_org.crt
- 重要提示:您需要在导出密码"提示下提供密码,否则下一步中的keytool导入将失败
- 您需要提供在"openssl"命令中使用的密码
- 您还需要为正在创建的密钥库提供新密码
- 我从"keytool"处收到有关JKS是专有格式的警告,并建议我将密钥库转换为PKCS12格式,因此我使用此可选命令来做到这一点
最后,我需要将新创建的Java密钥库与Spring Boot应用程序打包在一起,并配置该应用程序以使用它.
Finally, I need to package my newly created Java keystore with my Spring Boot application and configure the application to use it.
参考:
- https://www.baeldung.com/spring-boot-https-self-signed-certificate
- https://www.baeldung.com/x-509-authentication-in-spring-security
我回顾了上面的两个Baeldung教程,并且能够获得使Spring Boot(启用Spring Security)正常工作所需的详细信息.
I referred back to the two Baeldung tutorials above, and was able to get the details I needed to make my Spring Boot (with Spring Security enabled) to work.
我在现有的'src/main/resources'下创建了一个新的'keystore'文件夹,然后将两个新创建的keystore文件复制到那里(我保留了这两种格式).
I created a new 'keystore' folder under the existing 'src/main/resources', and copied both of my newly created keystore files there (I kept both formats).
我将下面的块添加到了Spring Boot应用程序的
application.properties
文件中.I added the block below to my Spring Boot application's
application.properties
file.#-------------------------------------------------------------------------------------------------- # SSL CONFIGURATION # The format used for the keystore. It could be set to JKS in case it is a JKS file #server.ssl.key-store-type=JKS server.ssl.key-store-type=PKCS12 # The path to the keystore containing the certificate #server.ssl.key-store=classpath:keystore/jimtough-dot-org-keystore.jks server.ssl.key-store=classpath:keystore/jimtough-dot-org-keystore.pkcs12 server.ssl.key-store-password=mykeystorepassword server.ssl.key-alias=jimtough-dot-org server.ssl.enabled=true server.port=8443 #--------------------------------------------------------------------------------------------------
正如预期的那样,当我尝试使用https://localhost:8443/作为URL连接到Spring Boot应用程序的本地运行实例时,会从浏览器中收到一堆警告.发生这种情况是因为浏览器正确地识别了本地主机"和创建我的SSL证书所要运行的预期"jimtough.org"域之间的不匹配.当我将应用程序部署到主机名为"anything.jimtough.org"(或只是www.jimtough.org ).
As expected, I get a bunch of warnings from my browser when I attempt to connect to a locally running instance of the Spring Boot application using https://localhost:8443/ as the URL. This happens because the browser correctly identifies the mismatch between 'localhost' and the expected 'jimtough.org' domain that my SSL certificate was created to run on. There shouldn't be any warnings when I deploy the application to a server whose hostname is 'anything.jimtough.org' (or just www.jimtough.org).
就是这样!HTTPS祝您愉快!
这篇关于Spring Boot-使用CA证书启用SSL(HTTPS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-
certificate.crt,certificate.p12,certificate.pk,privkey.pem和三个文件root_ca_1.ca-bundle,root_ca_2.ca-bundle,root_ca_3.ca-bundle
certificate.crt, certificate.p12, certificate.pk, privkey.pem and three files root_ca_1.ca-bundle, root_ca_2.ca-bundle, root_ca_3.ca-bundle
.这就是我的全部.我对ssl主题非常了解,只需阅读一些教程并尝试了一些keytool命令即可使其工作.我将不胜感激.预先谢谢你.
. That's all I have. I'm very fresh with ssl topic, just read some tutorials and tried few keytool commands to make it work. I'd be grateful for help. Thank You in advance.
推荐答案
我刚刚花了一个下午来弄清楚这个确切的问题,所以在这里我将分享我的过程.
I just spent the afternoon figuring out this exact problem, so I'll share my process here.
下面的每个参考都提供了有关如何生成和使用自签名证书的说明.这并不是我要尝试做的事情,但是它们每个都包含一些有用的背景信息.
Each of the references below provides instructions on how to generate and use a self-signed certificate. That's not exactly what I'm trying to do, but these each contain some useful background information.
参考:
我已经为* .jimtough.org通配符"域购买了由CA签发的真实SSL证书.我是从 http://www.namecheap.com/购买的证书,但实际上是证书颁发机构(CA)是Comodo.
I have already purchased a real CA-issued SSL certificate for the *.jimtough.org 'wildcard' domain. I purchased the certificate from http://www.namecheap.com/, but the actual Certificate Authority (CA) is Comodo.
作为与CA进行购买/激活过程的一部分,我需要遵循以下说明:
As part of the purchase/activation procedure with the CA, I needed to follow these instructions: