HTTPS using Self-Signed Certificate in Spring Boot – 在Spring Boot中使用自签名证书的HTTPS

最后修改: 2018年 10月 23日

1. Overview


In this tutorial, we’ll learn how to enable HTTPS in Spring Boot. For this purpose, we’ll also generate a self-signed certificate, and configure a simple application.

在本教程中,我们将学习如何在Spring Boot中启用HTTPS。为此,我们还将生成一个自签名的证书,并配置一个简单的应用程序。

For more details on Spring Boot projects, we can refer to a bunch of resources here.

关于Spring Boot项目的更多细节,我们可以参考一堆资源这里

2. Generating a Self-Signed Certificate


Before getting started, we’ll create a self-signed certificate. We’ll use either of the following certificate formats:


  • PKCS12: Public Key Cryptographic Standards is a password protected format that can contain multiple certificates and keys; it’s an industry-wide used format.
  • JKS: Java KeyStore is similar to PKCS12; it’s a proprietary format and is limited to the Java environment.

We can use either keytool or OpenSSL tools to generate the certificates from the command line. Keytool is shipped with Java Runtime Environment, and OpenSSL can be downloaded from here.


For our demonstration, let’s use keytool.


2.1. Generating a Keystore


Now we’ll create a set of cryptographic keys, and store them in a keystore.


We can use the following command to generate our PKCS12 keystore format:


keytool -genkeypair -alias baeldung -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore baeldung.p12 -validity 3650

We can store any number of key-pairs in the same keystore, with each identified by a unique alias.


For generating our keystore in a JKS format, we can use the following command:


keytool -genkeypair -alias baeldung -keyalg RSA -keysize 2048 -keystore baeldung.jks -validity 3650

We recommend using the PKCS12 format, which is an industry standard format. So in case we already have a JKS keystore, we can convert it to PKCS12 format using the following command:


keytool -importkeystore -srckeystore baeldung.jks -destkeystore baeldung.p12 -deststoretype pkcs12

We’ll have to provide the source keystore password and also set a new keystore password. The alias and keystore password will be needed later.


3. Enabling HTTPS in Spring Boot

3.在Spring Boot中启用HTTPS

Spring Boot provides a set of a declarative server.ssl.* properties. We’ll use those properties in our sample application to configure HTTPS.

Spring Boot提供了一套声明性的server.ssl.*属性我们将在我们的示例应用程序中使用这些属性来配置HTTPS。

We’ll start from a simple Spring Boot application with Spring Security that contains a welcome page handled by the “/welcome” endpoint.

我们将从一个简单的Spring Boot应用程序与Spring Security开始,其中包含一个由”/welcome“端点处理的欢迎页面。

Then we’ll copy the file named “baeldung.p12,” generated in the previous step, into the “src/main/resources/keystore” directory.


3.1. Configuring SSL Properties


Now we’ll configure the SSL related properties:


# The format used for the keystore. It could be set to JKS in case it is a JKS file
# The path to the keystore containing the certificate
# The password used to generate the certificate
# The alias mapped to the certificate

Since we’re using a Spring Security enabled application, let’s configure it to accept only HTTPS requests:

由于我们使用的是一个启用了Spring Security的应用程序,让我们把它配置为只接受HTTPS请求。


4. Invoking an HTTPS URL


Now that we have enabled HTTPS in our application, let’s move on to the client, and explore how to invoke an HTTPS endpoint with the self-signed certificate.


First, we need to create a trust store. As we have generated a PKCS12 file, we can use the same as the trust store. Let’s define new properties for the trust store details:


#trust store location
#trust store password

Then we need to prepare an SSLContext with the trust store and create a customized RestTemplate:


RestTemplate restTemplate() throws Exception {
    SSLContext sslContext = new SSLContextBuilder()
      .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
    SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
    HttpClient httpClient = HttpClients.custom()
    HttpComponentsClientHttpRequestFactory factory = 
      new HttpComponentsClientHttpRequestFactory(httpClient);
    return new RestTemplate(factory);

For the sake of the demo, let’s make sure Spring Security allows any incoming requests:

为了演示,让我们确保Spring Security 允许任何进入的请求。

public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { 

Finally, we can make a call to the HTTPS endpoint:


public void whenGETanHTTPSResource_thenCorrectResponse() throws Exception {
    ResponseEntity<String> response = 
      restTemplate().getForEntity(WELCOME_URL, String.class, Collections.emptyMap());

    assertEquals("<h1>Welcome to Secured Site</h1>", response.getBody());
    assertEquals(HttpStatus.OK, response.getStatusCode());

5. Conclusion


In this article, we first learned how to generate a self-signed certificate to enable HTTPS in a Spring Boot application. Then we discussed how to invoke an HTTPS-enabled endpoint.

在这篇文章中,我们首先学习了如何在Spring Boot应用程序中生成一个自签名证书以启用HTTPS。然后,我们讨论了如何调用启用了HTTPS的端点。

As always, we can find the complete source code over on GitHub repository.


Finally, to run the code sample, we need to un-comment the following start-class property in the pom.xml: