Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Self-Signed Certificates in Spring-Boot

I'm trying to get a Spring-Boot server up and running, which provides some security via SSL. I followed steps 1 and 2 of this guide to get a self-signed certificate and am able to access my site via https. The application.properties looks like this:

server.port=8443
server.ssl.keyStore=classpath:keystore.p12
server.ssl.keyStorePassword=youd_want_to_know
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=hs

keystore.p12 was generated with

$ keytool -genkey -alias hs -storetype PKCS12 \
-keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650

Except for the password I didn't enter anything, all fields are "Unknown".

However, the lock in the browser isn't green. The detail message says

There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

The plus-side:

Secure TLS connection
The connection to this site is using a strong protocol version and cipher suite.
Secure Resources
All resources on this page are served securely.

I guess in plain text it means that the data is transported securely, but the browser isn't fully happy with the certificate in terms of it can't track the authenticity. Therefore, I understand that this isn't worthy for production (and for now it doesn't need to be).

But, is it safe and secure for me since I own the server and know that I created the self-signed certificate myself? Or are there ways to turn this into a certificate that the browser is happy with? What do I need to do to make that work and what would the Sprint-Boot configuration look like?

like image 551
sjngm Avatar asked Oct 19 '16 17:10

sjngm


2 Answers

Thats how the browser is supposed to behave. As long as you (or rather, browsers you or your organization owns) are the only consumers of your website, you are fine. But once you want to on-board other consumers you might need to get your certificate signed by a certificate provider

like image 91
KingJulien Avatar answered Nov 14 '22 05:11

KingJulien


In this case the communication between browser and server is still vulnerable to man-in-the-middle attack, so this not really "secure & safe"

like image 1
Dapeng Avatar answered Nov 14 '22 03:11

Dapeng