This is because usually a certificate authority verifies the entity applying for the digital certificate. It was self-signed and by default it cannot be trusted. When we call our application using curl, we see there is a problem with our certificate. With Spring Boot we can enable TLS via configuration properties: server.port=8443 -store-type=PKCS12 -store=classpath:server.p12 -store-password=changeitĪlternatively, if you are using an existing application you can pass those properties as java arguments, so you don’t have to recreate your jar again: java -jar target/mtls-demo-0.0.1-SNAPSHOT.jar -store-type=PKCS12 -store=classpath:=8443 keytool -genkeypair -alias server -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Server,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore server.p12 -storeType PKCS12 -storepass changeit I am running this command from src/main/resources and the file can be access from the classpath in our program. The command below generates a file server.p12 that contains a public-private key pair valid for one year. We are going to use keytool, a certificate management utility included with Java. How does it work in Java with Spring Boot? Well, let’s create a new project and activate TLS first.
If you want more details you can check out the official specification on TLS here. This means the client needs to present its TLS certificate so that the server can validate with the public key the ciphertext in the TLS handshake. With mutual TLS the same validation happens for the client also.
0 kommentar(er)
