Using wildcard ssl certificate for Spring Boot backend
I have acquired a wildcard SSL certificate from my hoster (Hoster X) for my domain, e.g. domain.com.
Now I have a Spring Boot Backend running on Server A (Not hosted at Hoster X, IP: 1.1.1.1, URL: api.domain.com) and my Frontend running on another Server B (Hosted at Hoster X, IP:2.2.2.2, URL app.domain.com).
The redirection of api.domain.com to the IP 1.1.1.1 is set via an A Resource Record in the DNS configuration of Hoster X because domain.com is registered here.
What's the general approach here to install the certificate on my Spring Boot Backend so that the communication between my Frontend and Backend is secured? Do I have to download the wildcard certificate to install it into the backends keystore? For what I can tell I can only configure the SSL certificate in my hosters menu on domains which are hosted on Hoster X Servers.
On the backend server, merge the private key file, the certificate file and the CA file into a pkcs12 keystore with openssl and the following command:
openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out <keystorefile> -name tomcat -CAfile <cacertfile> -caname root
You are prompted to enter a keystore password. Now copy the generated keystore file (extension 'p12') to the Spring Boot application's resources directory.
Now set the Spring Boot SSL configuration in the application.yml:
server:
port: 8443
# Spring SSL configuration
ssl:
enabled: true
key-store: classpath:keystore.p12
key-store-password: "<KeystorePassword>"
keyStoreType: PKCS12
keyAlias: tomcat
Alternatively, copy the keystore.p12 somewhere on the backend server and point to the location with the absolute path:
server:
ssl:
key-store: /path/to/keystore.p12
It is important to create an A Record in the DNS settings on the Frontend machine, so that all Frontend requests to the Backend go via a call to the domain and not the IP since the wildcard certificate is only valid for the domain.
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- Resource of Cost of Declaring Variables and Scope
- SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
- github Dependabot alert: Inefficient Regular Expression Complexity in nth-check
- Storing passwords to login to third party APIs
- How to best utilize ASP .NET Membership database?
- how to secure my website
- Understanding CSRF
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?