Simple example with two springboot applications communicating through https with two way SSL authentication using certificate chain.
We will use the chain to avoid import every client certificate in the server, so the server can trust in the intermediate certificate instead every client.
keytool -genkeypair -alias root -dname cn=root -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore root.jks -keypass password -storepass password
keytool -genkeypair -alias ca -dname cn=ca -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore ca.jks -keypass password -storepass passwordkeytool -exportcert -rfc -keystore root.jks -alias root -storepass password > root.pemkeytool -keystore ca.jks -storepass password -certreq -alias ca | keytool -keystore root.jks -storepass password -gencert -alias root -ext bc=0 -ext san=dns:ca -rfc > ca.pemkeytool -keystore ca.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
keytool -keystore ca.jks -storepass password -importcert -alias ca -file ca.pemkeytool -keystore client-rest.jks -storepass client-rest -certreq -alias client-rest | keytool -keystore ca.jks -storepass password -gencert -alias ca -ext ku:c=dig,keyEnc -ext SAN=dns:localhost,ip:127.0.0.1 -ext eku=sa,ca -rfc > client-rest.pemkeytool -keystore client-rest.jks -storepass client-rest -importcert -trustcacerts -noprompt -alias root -file root.pem
keytool -keystore client-rest.jks -storepass client-rest -importcert -alias ca -file ca.pem
keytool -keystore client-rest.jks -storepass client-rest -importcert -alias client-rest -file client-rest.pemkeytool -genkeypair -alias client-rest -keyalg RSA -keysize 2048 -storetype JKS -keystore client-rest.jks -validity 3650 -ext SAN=dns:localhost,ip:127.0.0.1To setup the trust, we need to import the intermediate client certificate in to the server's trusted certificates and the server-rest certificate in the client-rest jks:
keytool -export -alias client-rest -file client-rest.crt -keystore client-rest.jkskeytool -import -alias ca -file ca.pem -keystore server-rest.jkskeytool -import -alias client-rest -file client-rest.crt -keystore server-rest.jksca, 29/06/2019, trustedCertEntry,
Fingerprint (SHA1) do certificado: 35:F6:DF:85:6D:56:46:5F:3E:9C:A2:F6:D5:87:62:15:AA:6C:23:95
server-rest, 29/06/2019, PrivateKeyEntry,
Fingerprint (SHA1) do certificado: C5:C4:F6:79:BC:DD:BB:D6:05:8F:6A:C8:FA:7A:89:5D:BC:3D:3B:04root, 29/06/2019, trustedCertEntry,
Fingerprint (SHA1) do certificado: 7C:1D:3F:15:3B:00:8C:F9:B5:54:25:32:90:B6:BE:77:86:28:92:0A
ca, 29/06/2019, trustedCertEntry,
Fingerprint (SHA1) do certificado: 35:F6:DF:85:6D:56:46:5F:3E:9C:A2:F6:D5:87:62:15:AA:6C:23:95
client-rest, 29/06/2019, PrivateKeyEntry,
Fingerprint (SHA1) do certificado: BA:73:7F:AC:CB:D8:01:FA:40:12:14:2E:23:0E:58:58:B7:D4:8E:72
server-rest, 29/06/2019, trustedCertEntry,
Fingerprint (SHA1) do certificado: C5:C4:F6:79:BC:DD:BB:D6:05:8F:6A:C8:FA:7A:89:5D:BC:3D:3B:04keytool -importkeystore -srckeystore client-rest.jks -destkeystore client-rest.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass client-rest -deststorepass client-rest -srcalias client-rest -destalias client-rest -srckeypass client-rest -destkeypass client-rest -nopromptPS. We have to import the keystore because of the two way ssl, the browser becomes a client and need to be authenticated.
- Start server-rest running ServerApplication class
- Start client-rest with ClientApplication class
- Import the certificates in the browser settings (client-rest.p12)
- Access https://localhost:9443/client-rest/infos and https://localhost:8443/server-rest/infos