Skip to content

Strauteka/webflux-server-client-tls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.mvn/wrapper

.mvn/wrapper

 
 

src

src

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

app.Dockerfile

app.Dockerfile

 
 

cert.conf

cert.conf

 
 

cert.sh

cert.sh

 
 

docker-compose.yml

docker-compose.yml

 
 

docker.conf

docker.conf

 
 

docker.sh

docker.sh

 
 

jar.sh

jar.sh

 
 

mvnw

mvnw

 
 

mvnw.cmd

mvnw.cmd

 
 

pom.xml

pom.xml

 
 

run.sh

run.sh

 
 

Repository files navigation

Spring Boot Server - client tls

Reactive Ping-pong with two-way ssl

Example created in Windows environment so possibly changes requires running in other platform. docker.sh winpty is for windows docker to run with -i flag

To create CA signed certificate you can follow tutorials in WWW
Azure example 1
Azure example 2

Self-signed certificate with java keytool for .jks

Run run.sh

Or
create certs folder
mkdir certs
cd certs

Generating server self-signed certificate for localhost
keytool -keystore serverkeystore.jks -alias testserver -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassserver -storepass ishallpassserver -ext san=dns:localhost,ip:127.0.0.1

Generating client self-signed certificate
keytool -keystore clientkeystore.jks -alias clientKey -genkey -keyalg RSA -validity 365 -dname "CN=testserver, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ishallpassclient -storepass ishallpassclient

Export servers key public part
keytool -export -alias testserver -keystore serverkeystore.jks -file testserver.crt -keypass ishallpassserver -storepass ishallpassserver

Import exported servers .crt to client keystore
keytool -keystore clientkeystore.jks -import -alias testserver -file testserver.crt -trustcacerts -keypass ishallpassserver -storepass ishallpassclient -noprompt

For two-way ssl

Export clients key public part to .crt

keytool -export -alias clientKey -keystore clientkeystore.jks -file testclient.crt -keypass ishallpassclient -storepass ishallpassclient

In some cases there is issue when server requires its own CA in it's truststore, not this case.

Creating truststore from client .crt
keytool -import -alias clientAlias -file testclient.crt -keystore servertruststore.jks -storepass ishallpasstruststore -noprompt

Other

View client .jks
keytool -list -v -keystore clientkeystore.jks -storepass ishallpassclient

Delete alias
keytool -delete -alias testserver -keystore clientkeystore.jks -storepass ishallpassclient

Changes alias
keytool -changealias -alias "testserver" -destalias "testserverChanged" -keystore serverkeystore.jks -keypass ishallpassserver -storepass ishallpassserver

You can allow use of https://127.0.0.1:8080/ping api from browser, if property set server.ssl.client-auth=want

Run cert.sh for generating localhost demo certificates
Run jar.sh to compile & extract .jar for docker image
Run docker.sh to create Docker image and run docker container
Run: docker-compose.
docker-compose -p test up --force-recreate --build
Make sure cert ext flag ip set correctly

To change certs in container
docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"

About

Securing endpoint example

Topics

docker spring-boot webflux two-way-ssl-authentication

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages