This is a sample Spring Boot project that configures an javax.net.ssl.SSLContext
object with two-way SSL using a keystore and an optional truststore.
The javax.net.ssl.SSLContext
object then can be used to create SOAP clients, REST clients, etc. that need 2-way SSL.
I found that below library is more robust for creating KeyStore
objects in Java than using the JDK's mechanism:
<dependency>
<groupId>ca.juliusdavies</groupId>
<artifactId>not-yet-commons-ssl</artifactId>
<version>0.3.11</version>
</dependency>
To configure 2-way SSL, we need to edit the src/main/resources/application.yaml
config file:
ssl:
enable2way: true
overrideDefault: true
keystore:
path: /keystore.jks
password: password
truststore:
path: /truststore.jks
password: password
To disable 2-way SSL, change the ssl.enable2way
config property to false
.
When ssl.overrideDefault
config property is set to true
, our 2-way SSL SSLContext
object will be set as the default (calling SSLContext.setDefault()
).
Both the keystore and truststore paths accept classpath and filesystem paths. In this sample, both of them are using the classpath as the files are under src/main/resources
.
The com.kaviddiss.twowayssldemo.config.TwoWaySSLConfig
class is responsible for setting up 2-way SSL.
It loads the keystore and the optional truststore (if ssl.truststore.path
is empty, the code will trust all certs when doing SSL handshake with a third-party service).
> keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
For more details, see https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html.
See https://www.wikihow.com/Export-Certificate-Public-Key-from-Chrome
Portecle is a handy open-source GUI tool to work with keystores.
You can use both the keytool
or Portecle to create a truststore and add exported SSL certs to it.
You can find more Spring Boot tutorials from me on GitHub and at http://kaviddiss.com/.