Enabling SSL with Spring Boot

It is possible to enable SSL when running a Spring Boot application, without having to rely on a proxy like Nginx. However, the Spring Boot documentation on this subject is a bit scarce and I wanted to document the whole process.

In this first article, I'll document only the use of self-signed certificates, and in a future article, I'll do the same for real certificates, suitable for production.

The first step is to generate a key to be used for the SSL configuration. For example:

keytool -genkey -alias ontrack -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650 \  
    -dname "CN=Damien Coraboeuf, OU=Ontrack, O=Nemerosa, L=Brussels, ST=Unknown, C=BE" \
    -keypass ontrack \
    -storepass ontrack

The passwords do not really matter here since such a key should be used only for internal tests purpose.

This generates a keystore.p12 file which we will reuse later.

I had to explicitely use the PKCS12 format for the key store file. Using the default JKS format was not suitable to be used with the embedded version of Tomcat in Spring Boot.

Provide an application.yml file for your application, either inside the JAR (not recommended) or in the installation directory of your application (better). See the Spring Boot documentation for the different available locations.

Set the content of this file to:

server:  
  port: 443
  ssl:
    enabled: true
    key-alias: ontrack
    key-store: "keystore.p12"
    key-store-type: PKCS12
    key-store-password: ontrack
    key-password: ontrack

The key-store parameter refers to the path to the keystore.p12 file ; if you put it at the same level than your application JAR at runtime, this relative path is enough, but it could be in any other location.

And... that's it!

When you start your application, it will bind to port 443 and you just have to access it using https://localhost

You still have to accept the invalid certificate warnings in your browser though...

I'll explain in a future article how to do the same configuration with real-life certificates.