HTTPS (Hypertext Transfer Protocol Secure) is a secure communication protocol used to transfer data between a web browser and a web server.
HTTPS is a secure version of the HTTP protocol, which is the protocol used to transfer data between a web browser and a web server. The main difference between HTTP and HTTPS is that HTTPS uses a security protocol called SSL/TLS (Secure Sockets Layer/Transport Layer Security) to encrypt data being transferred between the browser and the server.
When a user accesses a website that uses HTTPS, the browser establishes a secure connection with the web server using the SSL/TLS protocol. This secure connection allows data to be transferred securely and confidentially between the browser and the server.
Therefore HTTPS helps protect users’ privacy by encrypting the data being transferred, helps ensure the authenticity of the web server and the content being transferred.
An SSL certificate is only valid for the domain for which it was made.
For example, if it was made for www.a.com and www.b.com redirects to www.a.com
- www.b.com will not be htttps
- www.a.com is https
On a web hosting the SSL certificate was installed automatically, and without doing anything, I could access with https.
In a java springboot application it is different, We have to tell the application to read the SSL certificate.
SSL/TLS is the same as SSL, and is used to make http secure, i.e. https authenticate your identity in http.
SSL certificates in Java are stored in a keystore.
after with application.properties we call the keystore.
Keystores almost always have the extension jks, Java KeyStore.
keystore is like a database for certificates and private keys.
Do not upload the keystore, the SSL certificate or the private key to GitHub.
keystore is managed with keytool.
Is a command-line tool that comes bundled with Oracle’s JDK (Java Development Kit). It is used to manage and manipulate public and private key files, as well as digital certificates.
keytool is used to create the keystore, manage it, import and export records from it.
Another useful tool besides keytool is openssl, It is a tool to manage certificates or private keys.
Openssl It is to convert records that go in a keystore, from one format to another, you can also create your own self-signed SSL certificates.
It is not recommended to use self-signed SSL certificates.
That is, before starting we must have installed keytool and openssl.
I don’t know how it is in Windows, I haven’t used it for 15 years, I’m a user of macOS and some Linux distributions.
If you are a Windows user, I doubt you will understand anything of what follows below.
Creating a keystore: A keystore is a file
In this example, my_keystore.jks is the name of the keystore file located in the src/main/resources folder.
keystore stores certificates and keys, they have to be in the correct extension and their content in the correct format.
The classpath: keyword indicates that the keystore file is located in the application’s classpath, or /resources.
classpath: used in application.properties, example:
server.ssl.key-store=classpath:my_keystore.jks
then inside application.properties we have:
- application.properties
- my_keystore.jks
- web.crt
- web.key
- web.p12
web.crt Store the certificate as given to you by the DNS provider.
web.key stores the private key as given to you by the dns provider.
web.p12 stores the certificate and private key in pkcs 12 format, all in one, we created it with openssl.
my_store.jks We created it with keytool and it stores web.p12.
application.properties calls the keystore, its password, type and alias that it will read are configured.
if the certificate has the same alias as the private key they are linked to, a p12 already has them linked.
we should not upload to github:
- my_keystore.jks
- web.crt
- web.key
- web.p12
This is indicated in the .gitignore located where the pom.xml is, in the root of the project.
*.crt
*.key
*.p12
*.jks
.DS_Storeand tell application.properties to read the keystore, give it your password and the alias of the stored p12 record.
then we have:
| PKCS12 type keystore | alias: xxxx and password |
| ssl certificate | private key |
| alias: xxxx | alias: xxxx |
in our case:
- the keystore has 0 records.
- If there is a record created by default we delete it.
- The certificate and private key will be in a single .p12 file, that is done with openssl.
donweb gives you the ssl certificate in .crt which is the text that they give you in a file with the .crt extension.
the private key in .key which is the text that they give you in a file with the .key extension.
The alias name is like the id that identifies the keystore record.
create a new keystore:
keytool -genkeypair -alias alias_name -keyalg RSA -keystore my_keystore.jksknow the type of keystore:
keytool -list -keystore my_keystore.jksIn the text that they return to you it says the type
Delete a record in the keystore:
keytool -delete -alias my_alias -keystore my_keystore.jksThe private key that was given to you along with the Sectigo Positive SSL certificate is the one you should use instead of the default private key that is generated when creating the keystore.
The private key created by default in the keystore is not necessary to use the SSL certificate provided to you by Sectigo Positive.
The private key provided to you by Sectigo Positive is the one you must use to establish the secure connection to your server. This private key is specific to the SSL certificate provided to you and is the one used to decrypt communications between the client and the server.
The private key created by default in the keystore is a self-signed private key that is automatically generated when the keystore is created. This private key is not required to use the SSL certificate provided to you by Sectigo Positive and can be safely deleted.
so the first thing we need to do is delete the private key created by default in the keystore.
I didn’t understand why I was getting an error, it was because the certificate I entered had the same alias as the private key generated by default, if they have the same alias they are linked and the private key did not match the certificate, the same with the other private key, it had the same alias as the private key created by default.
It was a problem with the aliases, it took me a whole day, it’s annoying because it’s paid and there’s no documentation.
It’s kind of stupid, it’s to access a server that I’m going to access only with https instead of http.
But I think that something free is very problematic.
This command is very useful, save it:
openssl req -x509 -newkey rsa:2048 -nodes -keyout private_key.key -out ssl_certificate.crt -days 365 -subj "/C=AR/ST=your_state/L=your_state/O=your_organization/CN=web.com"A pkcs#12 file does not only have to have the extension p12, its content has to be in pkcs#12 format.
Since the keystore is PKCS12, the key and certificates must be in PKCS12 format to import them into the keystore, otherwise it will throw an error.
This command creates a new file called web.p12 that contains the certificate and private key in PKCS12 format.
openssl pkcs12 -export -in web.crt -inkey web.key -out web.p12put a 6-letter password on p12.
then import the generated p12.
keytool -importkeystore -srckeystore web.p12 -srcstoretype PKCS12 -destkeystore my_keystore.jks -deststoretype PKCS12then insert the password of the keystore and the .p12 file.
In application.properties enter the following configuration:
server.port=8080
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:my_keystore.jks
server.ssl.key-store-password=your_password
server.ssl.key-alias=record_p12_aliasFirst you have to import the private key
Second the SSL certificate
Otherwise keytool throws an error, in reverse order.