{"id":112,"date":"2016-03-17T19:30:16","date_gmt":"2016-03-17T18:30:16","guid":{"rendered":"http:\/\/www.underealm.com\/tech\/?p=112"},"modified":"2020-05-13T22:54:20","modified_gmt":"2020-05-13T20:54:20","slug":"migraine-free-java-ssl-management","status":"publish","type":"post","link":"https:\/\/www.underealm.com\/tech\/2016\/03\/migraine-free-java-ssl-management\/","title":{"rendered":"Migraine free Java SSL management"},"content":{"rendered":"\n

I recently had the need to turn a JAVA web application into SSL only. While the configuration is almost painless (-Dhttps.port=443 -Dhttp.port=disabled<\/code>), the certificate management wasn’t quite as effective, due to a certain lack of clear documentation (where have I heard that again?).<\/p>\n\n\n\n

We start assuming you already have your OpenSSL generated key\/crt files, because that’s what happened here, but stay tuned:<\/p>\n\n\n\n

$ openssl pkcs12 -export -in CertificateChain.pem -inkey Certificate.key -out Certificate.pkcs12 -name HostAlias -noiter -nomaciter<\/code><\/pre>\n\n\n\n
With this done you have a PKCS12 KeyStore you can use for the web server, much like the PEM\/KEY you would use in Apache. Then, you use this configuration to properly load it:<\/p>\n\n\n\n
-Dhttps.keyStoreType=PKCS12 -Dhttps.keyStore=\/absolute\/path\/to\/certificate.pkcs12 -Dhttps.keyStorePassword=KeyStorePassword<\/code><\/pre>\n\n\n\n
It may seem like nothing, but the keyStoreType<\/strong> part made the difference between a proper certificate chain and an unsigned chain localhost\/localhost, which caused me major migraine for the good part of an afternoon.<\/p>\n\n\n\n
With this said and done you can start the application\/server and see to it that the certificate now lists itself properly and with all the needed CAs attached to it.<\/p>\n","protected":false},"excerpt":{"rendered":"
I recently had the need to turn a JAVA web application into SSL only. While the configuration is almost painless (-Dhttps.port=443 -Dhttp.port=disabled), the certificate management wasn’t quite as effective, due to a certain lack of clear documentation (where have I heard that again?). We start assuming you already have your OpenSSL generated key\/crt files, because […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-sysad"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/112"}],"collection":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/comments?post=112"}],"version-history":[{"count":4,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/112\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/112\/revisions\/172"}],"wp:attachment":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/media?parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/categories?post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/tags?post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}