Question

We have a Spring Boot application for REST web services which is still under development. And we are using self signed certificate for now.

Now, it will be deployed into a system along with 1 more already developed application. This pre-existing application uses self signed certificate by default but gives client an option to upload CA certificates if they want. Now, we want to use the same certificate for this new application.

基本上,我们希望客户使用1份申请证书,申请在1个系统中进行。

Now, this existing application has certificate files like .pem and .cer.
How can I use this certificate in my Spring Boot application which uses certificate in the format of jks?

And off course, in case of any update, the certificate should be available to both of the applications.

Answer 1

As of Spring Boot 2.7 it s possible to use PEM-encoded certificate and private key files.
See the below example (private key in PKCS8 format).

server:
  port: 8443
  ssl:
    certificate: "classpath:my-cert.crt"
    certificate-private-key: "classpath:my-cert.key"
    trust-certificate: "classpath:ca-cert.crt"

Answer 2

在证书方面,PEM是一种众所周知的档案格式。除 Java外。由于 Java只使用JKS(仅靠 Java、双亲钥匙店)或PKCS12作为钥匙和证书。因此,我们必须将PEM编码证书转换为JKS或PKCS12,以便 Java能够消费。但这可能是在很多情况下发生的。

在您的春天申请中,你可以使用以下依赖性。

<dependency>
  <groupId>de.dentrassi.crypto</groupId>
  <artifactId>pem-keystore</artifactId>
  <version>2.0.0</version>
</dependency>

之后加添

KeyStore keyStore = KeyStore.getInstance("PEM");

更多信息

https://github.com/ctron/pem-keystore”rel=“noreferer”>

application.properties

 server.ssl.enabled=true
 server.ssl.key-store=/path/to/keystore.properties
 server.ssl.key-store-type=PEMCFG
 server.ssl.key-store-password=dummy
 server.ssl.key-alias=keycert

然后,你创建<条码>钥匙store.properties:

alias=keycert
source.cert=/etc/…/fullchain.pem
source.key=/etc/…/privkey.pem

Answer 3

我经常做的是,在春天用喷气来取代Tomcat,这确实使习惯的组合成为可能。有了这种配置,便有可能实现任何种类的定制,例如处理皮姆档案,但也特别是加密的平姆档案。下面是我使用的设置:

下面的平板档案将装上,将设立一个关键管理信托基金。这笔经费将用于创建一种SSLFactory,然后将用来转换成一个符合喷气素配置的配置。

import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.util.JettySslUtils;
import nl.altindag.ssl.util.PemUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;

@Configuration
public class SSLConfig {

    @Bean
    public SSLFactory sslFactory() {
        X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial("chain.pem", "private-key.pem", "my-password".toCharArray());
        X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial("some-trusted-certificate.pem");

        return SSLFactory.builder()
                .withIdentityMaterial(keyManager)
                .withTrustMaterial(trustManager)
                .build();
    }

    @Bean
    public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) {
        return JettySslUtils.forServer(sslFactory);
    }

}

The Jetty SSL configuration needs to be passed on to the server configuration:

import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.jetty.JettyServerCustomizer;
import org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.Collections;

@Configuration
public class ServerConfig {

    @Bean
    public ConfigurableServletWebServerFactory webServerFactory(SslContextFactory.Server sslContextFactory, @Value("${server.port}") int serverPort) {
        JettyServletWebServerFactory factory = new JettyServletWebServerFactory();

        JettyServerCustomizer jettyServerCustomizer = server -> {
            ServerConnector serverConnector = new ServerConnector(server, sslContextFactory);
            serverConnector.setPort(serverPort);
            server.setConnectors(new Connector[]{serverConnector});
        };
        factory.setServerCustomizers(Collections.singletonList(jettyServerCustomizer));

        return factory;
    }

}

在这两个支队之后,你还需要告诉春天不要使用Tomcat,而是应该使用Jetty。可以通过下列专题组合做到这一点:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot</artifactId>
    <version>2.7.5</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <version>2.7.5</version>
    <exclusions>
        <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-jetty</artifactId>
    <version>2.7.5</version>
</dependency>

我用自己的图书馆读一读文件。 See below for the Dependencies and here for more regarding other uses: SSLContext-Kickstart

<dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-jetty</artifactId>
    <version>8.1.2</version>
</dependency>
<dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-pem</artifactId>
    <version>8.1.2</version>
</dependency>

Answer 4

我们可以从证书和私人钥匙中创建JKS档案,其形式如下:

#Combine private key and certificate to create pkcs12 file
openssl pkcs12 -export -out keystore.p12 -inkey privatekey.pem -in certificate.crt -name your_alias

#Import the certificate and key into a JKS file for Java to use
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

友情链接