Self-built https server and client certificates, nginx and spring boot applications use the same certificate, and solve the problem of chrome security warning

Keywords: SSL Nginx Spring OpenSSL

Reference link: Self-issued ssl certificate [spring boot] configure ssl certificate to implement https

1. Generating nginx certificates and configuring chrome security alerts

  • 1. Install openssl
  • 2. Generating Root Certificate
openssl req -x509 -nodes -days 1461 -newkey rsa:2048 -subj "/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca
  • 3. Generating Private Key
openssl genrsa -out private.key 2048
  • 4. Generate certificates (resolving chrome security alerts). Once trust is selected by default, the generated certificates are shown as secure in browsers such as Edge and Firefox, but Chrome is still marked as unsafe and warned of interception, because Chrome needs certificate support to extend Subject Alternative Name, so SAN extensions need to be specified and relevant parameters added when generating.
[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = san
extensions          = san
[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = MyProvince
localityName        = MyCity
organizationName    = MyOrganization
[SAN]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = IP:123.123.123.123

5. Put the above into a file named private.ext. Execute commands to generate certificates

openssl x509 -req -days 1461 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN
  • The configuration in nginx is as follows:
server {
    listen       168.130.1.31:4443;
    server_name  localhost;
    ssl                  on;
    ssl_certificate      /usr/local/nginx/ssl/private.crt;
    ssl_certificate_key  /usr/local/nginx/ssl/private.key;
    error_page 497  https://$host$uri?$args;

     location / {
        root   html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }
}

After installing the private.crt file on window s or mac, the page or interface on nginx can be accessed normally.

2. Configure https certificates for spring boot applications and spring boot certificates with the certificates generated above

  • Note that we are in the Java environment, the commonly used certificate format is p12 format, jks format, so we need to do conversion, take p12 as an example:
openssl pkcs12 -export -clcerts -in private.crt -inkey private.key -out server.p12

In this way, a private key format file server.p12 that can be used on spring boot is generated. In the process of conversion, a password is required. Please remember this password.

  • Use keytool to view aliases
keytool -list -keystore server.p12

Enter the keystore password:

Key store type: JKS
 Key repository provider: SUN

Your keystore contains one entry

1, 2018-7-17, PrivateKeyEntry,
Certificate Fingerprint (SHA1): *******************************************************

Note that this 1 is the purpose for which we run this command, which is our alias.
  • Copy server.p12 to the resources directory and configure yml as follows
server:
    ssl:
      key-store: classpath:server.p12
      key-store-password: 123456
      protocol: TLS
      keyAlias: 1
      keyStoreType: PKCS12

So far, our nginx and spring boot applications have the same https certificate, which can be successfully achieved by configuring our CA-certificate.crt file on windows or mac.

Posted by djjjozsi on Mon, 07 Jan 2019 15:06:09 -0800

Hot Keywords

©2024 Programmer Group