Spring Boot 中設置 HTTPS

# Spring Boot 中設置 HTTPS ## 1. 獲取 SSL 憑證自行生成 SSL PKCS12 keystore ```console keytool -genkeypair -alias localhost -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore keystore.p12 -validity 3650 -storepass password ``` ## 2. 在 Spring Boot 中啟用 HTTPS 把剛剛生成的 keystore.p12 檔案放入專案 src/main/resources 中並重新整理再去 application.preperties 設定配置 ```java server.ssl.key-store=classpath:keystore.p12 server.ssl.key-store-password=password server.ssl.key-store-type=PKCS12 server.ssl.key-alias=localhost server.ssl.key-password=password ``` 接著重啟專案即可以 HTTPS 連線 ## 3. 將 SSL 憑證分發給客戶端從上述生成的 keystore.p12 中匯出憑證檔(.crt 或 .cer) ```console keytool -export -keystore keystore.p12 -alias localhost -file localhost.crt ``` 藉由剛剛的產生的 localhost.crt 檔案生成 truststore.p12 ```console keytool -import -alias localhost -file localhost.crt -keystore truststore.p12 ``` ### Frontend 將 truststore.p12 檔案放入前端專案中並去 application.preperties 設定配置 ```java trust.store=classpath:truststore.p12 trust.store.password=password ``` 複寫RestTemplate原本發送請求方法，夾帶憑證向後端HTTPS發送請求 **Config** ```java @Configuration public class RestTemplateConfig { @Value("${trust.store}") private Resource keyStore; @Value("${trust.store.password}") private String keyStorePassword; @Bean public RestTemplate restTemplate() throws Exception { SSLContext sslContext = new SSLContextBuilder() .loadTrustMaterial( keyStore.getFile(), keyStorePassword.toCharArray() ).build(); SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE); HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build(); HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient); return new RestTemplate(factory); } } ``` **Service (?** ```java @Autowired RestTemplate restTemplate; public void someMethod() { HttpHeaders httpHeaders = new HttpHeaders(); String uri = "https://xx.net/api/v2/somemethod"; httpHeaders.setContentType(MediaType.APPLICATION_JSON); String result = restTemplate.getForObject(uri, String.class); System.out.println("Result " + result); } ``` ## Localhost on https://\<my domain> ### Step 1：生成憑證 ```console keytool -genkeypair -alias kanban -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore kanban.p12 -validity 3650 -storepass password ``` ### Step 2：設定CN (commonName) 網域名稱 ```console What is your first and last name? [Unknown]: kanban What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=kanban, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: ``` ### Step 3：匯入憑證將剛剛生成的憑證匯入專案 `/src/main/resources` 中，並在 `application.properties` 檔案增加以下設定。 ```java server.port=8443 server.ssl.key-store=classpath:kanban.p12 server.ssl.key-store-password=password server.ssl.key-store-type=PKCS12 server.ssl.key-alias=kanban server.ssl.key-password=password ``` ### Step 4：修改 Host File 修改 `C:\Windows\System32\drivers\etc` 路徑底下的 `hosts` 檔案，新增以下設定，但一般使用者會無法存檔，因此需要先以系統管理者權限開啟記事本，再以開啟舊檔的方式開啟 `hosts` 檔案即可存檔。 ```console # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 kanban ``` ### Step 5：測試連線 https://kanban:8443/cards --- ## Note ### 憑證相關檔案格式介紹 - 私有金鑰 – blog.rsync.tw.key - 憑證中心簽發回的憑證 – name.crt - 中繼憑證 ca_name.crt 或 ca_name.pem ### KeyStore vs. TrustStore * KeyStore: 通常存放私鑰，用來加解密或為別人簽名 * TrustStore: 通常存放一些簽署後的證書、憑證 --- ## Reference [[How to enable HTTPS in a Spring Boot Java application]](https://www.thomasvitale.com/https-spring-boot-ssl-certificate/) [[keyStore 和 trustStore]](https://www.itread01.com/p/845566.html) [[keytool生成keystore、truststore、證書]](https://www.itread01.com/content/1550273073.html) ###### tags: `tutorials`