I have a .pem certificate which I have to use in my spring boot application. Now, since java does not understand .pem format, I am converting it to .p12 format.
Since, we already have a .pem certificate which is not protected by any password, I am trying to avoid password for .p12 too.
I created two .p12 files, one is with password using below command :
openssl x509 -signkey sslcert.key -in sslcert.csr -req -days 365
-out sslcert.pem
And another without password using below command :
openssl pkcs12 -inkey sslcert.key -in sslcert.pem -export -passout
pass: -nokeys -out sslcert.p12
And I am able to get the results successfully using the one with password using the below properties in spring boot application :
server.port=8443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=keys/sslcert.p12
server.ssl.key-store-password=password
But when I am trying to use the one without password which is my preference, I am getting sslhandshake exception.
And also, I am not able to figure out how to pass this information to spring boot that ssl is not password protected.
SO far I tried many combinations like not passing password property or keeping it empty but it failed in all cases.
server.port=8443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=keys/sslcert.p12
I am getting below exception :
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:864)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:515)
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:331)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:243)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Unknown Source)
SO, can any one throw some light on how to use non-password protected .p12 certificate in spring boot.
All googles articles seems to be telling about the password propected. SO is it a mandatory thing in java?
So after all the research, it seems java key store needs a password. So I had to ignore the .p12 which we had without password. And using the pem certificate, we converted it to .p12 with password. And I am doing this from spring code where I am passing random password to shell script which generates .p12 from .pem using that password.
And then I am passing the same password to ssl properties from the code.
one drawback is I have to regenerate .p12 from .pem every time application is restarted but this is how I prevent static password.