springspring-bootsslopensslmutual-authentication

Spring Boot 3.4.1 SSLBundle with pem configuration inside application.yml

Development environment: Windows 10 x64 pro, JDK 23, Spring Boot 3.4.1 . I config with Spring Boot SSLBundle jks success, now I want try with Spring Boot SSLBundle pem (but not sure/not success).

openssl -v
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)

I have (mimic openssl's commands at https://medium.com/@branden.wheeler17/implementing-mutual-tls-with-a-custom-ca-using-openssl-and-golang-8e185ede77cb )

File root-ca.cnf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_extensions
prompt = no

[req_distinguished_name]
C = CA
ST = .
L = .
O = .
OU = .
CN = Root CA

[v3_extensions]
basicConstraints = CA:TRUE
keyUsage = keyCertSign, cRLSign

File server.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_extensions
x509_extensions = v3_extensions
prompt = no

[req_distinguished_name]
C = CA
ST = .
L = .
O = .
OU = .
CN = localhost

[v3_extensions]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1

File client.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_extensions
x509_extensions = v3_extensions
prompt = no

[req_distinguished_name]
C = CA
ST = .
L = .
O = .
OU = .
CN = localhost

[v3_extensions]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1

openssl genrsa -out root-ca.key 4096
openssl req -x509 -new -nodes -key root-ca.key -sha256 -days 365 -config root-ca.cnf -out root-ca.crt
openssl req -new -nodes -newkey rsa:4096 -keyout server.key -out server.csr -config server.cnf
openssl req -new -nodes -newkey rsa:4096 -keyout client.key -out client.csr -config client.cnf
openssl x509 -req -in server.csr -copy_extensions=copy -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 -sha256
openssl x509 -req -in client.csr -copy_extensions=copy -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out client.crt -days 365 -sha256

keytool -genkey -alias myalias -keyalg RSA -keystore C:\Users\foobar\.keystore -storepass 12345678

result

enter image description here

I have a server service, file application.yml

server:
    port: 8000
    ssl:
        bundle: mygate
        client-auth: NEED
        enabled: true
spring:
    datasource:
        driver-class-name: com.mysql.cj.jdbc.Driver
        url: jdbc:mysql://localhost:3306/xx00y?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
        username: root
        password: bar
    ssl:
        bundle:
            pem:
                mygate:
                    # https://docs.spring.io/spring-boot/reference/features/ssl.html#features.ssl.pem
                    keystore:
                        certificate: C:\\foo\\server.crt
                        private-key: C:\\foo\\server.key
                    truststore:
                        certificate: C:\\foo\\root-ca.crt
                        private-key: C:\\foo\\root-ca.key
                    reload-on-update: true

#    security:
#        user:
#            name: user
#            password: user

and other service, file application.yml

server:
  port: 8001
  ssl:
      bundle: n001
      client-auth: NEED
      enabled: true
spring:
    datasource:
        driver-class-name: com.mysql.cj.jdbc.Driver
        url: jdbc:mysql://localhost:3306/xx00z?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
        username: root
        password: Barbaa
    ssl:
        bundle:
            pem:
                n001:
                    keystore:
                        certificate: C:\\foo\\client.crt
                        private-key: C:\\foo\\client.key
                    truststore:
                        certificate: C:\\foo\\root-ca.crt
                        private-key: C:\\foo\\root-ca.key
                    reload-on-update: true
    jpa:
        hibernate:
          ddl-auto: create-drop
        properties:
          hibernate:
              format_sql: true
        show-sql: true
#    security:
#      user:
#          name: user
#          password: user

How to config for mutual TLS with Spring Boot 3.4.1's SSLBundle (especially truststore section) correctly?

Related https://docs.spring.io/spring-boot/reference/features/ssl.html#features.ssl.pem

Solution

  • Need 1 SSLBundle like this

        ssl:
        bundle:
            pem:
                mygate:
                    # https://docs.spring.io/spring-boot/reference/features/ssl.html#features.ssl.pem
                    keystore:
                        certificate: C:\\foo\\server.crt
                        private-key: C:\\foo\\server. Key
                    truststore:
                        certificate: C:\\foo\\client.crt
                    reload-on-update: true

    Call other service via mututalTLS

    import org.springframework.boot.ssl.SslBundles;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.client.RestTemplate;

@Configuration
public class RestTemplateConfig {

    @Bean(name = "mygate")
    public RestTemplate restTemplate(RestTemplateBuilder builder, SslBundles sslBundles) {
        return builder.sslBundle(sslBundles.getBundle("mygate")).build();
    }

}

    keystore of service-a is truststore of service-b.

    keystore of service-b is truststore of service-a.