I need to document this because this is the first time I am doing this. The whole process is a little bumpy, but all worked out in the end. Because this is the first time I am getting a certificate and installing to Spring Boot application, and literally there is very few tutorials that explains this in details, I took a long time to get it work. I will explain in details what I done, what obstacles I had to overcome.
Why there are so few resources online for this work? I suspected that there are very very few people who does the kind of work I am doing for my site. If there are many people who does what I do, they are not the kind of people who documents the steps. For me documenting it would be helpful next time I have to do this again. And it is also helpful for others to learn how this is done.
I started out with purchasing the SSL cert. My domain names are managed by GoDaddy, so I decided to get a cert from GoDaddy. The cost is $127 for 2 years. After that the cost would be $95 per year. There are free certs out there, but can I trust them? I don't know. A side issue I found is that GoDaddy default the page to UAE locale. And took me some time to change it to US. The locale selection is at the bottom of the GoDaddy pages.
The next few steps would be a first for me. It is the steps of creating the cert. First the page will show me the private key and csr (certificate sent request). Both are important, but not that important. I think I made a mistake here. When I creating the certs, the certs does not match the private key when I trying to create the Java Key Store.
Turned out, I can generate the private key myself using openssl. Then I can create my own csr, then I can copy and paste the csr data into GoDaddy page and "re-key" the certificate. I made another mistake that once I copied and pasted the new CSR, I didn't click that Save All button to initiate the Re-Key process. That is the mistake which took me several hours to correct. Once click the Save All button, the re-key will take about 2-5 minutes to complete. Afterwards, I can download the new Cert.
The new cert is compressed as a zip file. Once decompressed there are three files. Two of them are the same for the certificate. The other one that look like "sf_bundle-g2-g1.crt", that is the root cert. I need both certs for creating my key store. And I also need the private key as well. What I found that works is removing the UTF8 BOM from the private key text file, then it can be used for creating the key store.
The command to create the Java Key Store is:
openssl pkcs12 -export -out <output PKCS12 keystore file>.p12 -inkey <The private key file> -in <the cert file of the site> -certfile <The root cert file>
Figuring out this first command is the most difficult part of the whole process. There are ample examples on how to create a self signed cert using for testing. There is no specific example shows how a person takes a GoDaddy cert and transform into this p12 formatted key store. I was lucky to find this command after combing through a list of similar search results. Once I found this command and did some side research, I know that it is what I need. It combines the private key, the site cert, and root cert all into one and spit out a PKCS12 formatted key store. It is perfect.
This is also the wonder of learning. At first, I don't know anything, then after reading multiple pages of similar content, I would get a good sense of what potential solution will work. And I will have a direction to keep searching. This is how I get the right answer after persistent research plus some trial and error work.
When you generate the key store file, please remember the password, you will need it in the application configuration file for your Spring Boot application.
This command will create a key store that is compatible for Java applications. The problem is that the alias for certificate used by my site is set as "1". I found out about this after I checked what is inside the key store file. You can list all the content inside the file using this command:
keytool -list -v -keystore <output PKCS12 keystore file>.p12
I don't like the alias value "1". So I have to change it. This is the command I used to change the alias value.
keytool -changealias -alias "1" -destalias "<New Alias Value>" -keystore <output PKCS12 keystore file>.p12
You will need the password that you created the key store to complete these commands. And if there is no error, at the the end of it, the key store is ready to use. Open the application.properties files for the spring boot application, and add the following configuration key/values:
server.port=8443 server.ssl.key-store-type=PKCS12 server.ssl.key-store=classpath:<Path to File>/<output PKCS12 keystore file>.p12 server.ssl.key-store-password=<Password for the Keystore> server.ssl.key-alias=<Alias of the Site Cert> security.require-ssl=true
Repackage the Java Spring application and run it locally. If everything works out, running it locally will show the application works but the certificate is not the right one. If something goes bad, like my first try with the certificate, I get an ERROR_SSL_HANDSHAKE_FAILURE. When it worked, it is like winning a big lottery ticket. Next, I used the Java Key Store on my existing site setup and it worked too. And it did, which made the wrong SSL cert for the site error go away. Finally, I spent a couple hours on the weekend and deployed the new web site. End of this beautiful story.
There is no comments to this post/article.
