Spring Boot: RSA works, JKS doesn't

Question

I want to enable SSL for my spring boot application.

I generated a keystore with this command:

keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore

application.properties contains:

server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true

First I had created JKS key store with this command:

keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650

But I received error when visited https://localhost:8443 :

This site can’t provide a secure connection

localhost uses an unsupported protocol.

Why it's working now and not then ?

I have a few other questions: 1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources . Is this really a good idea?

2.What is the key-store-password ? what is the key-password ?

3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?

Answer 1

About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.

This site can't provide a secure connection , the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.

You also set an alias in your JKS file, make sure you tell the server to load the correct alias.

placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.

crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)

Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.

I also suggest to get some hand of OpenSSL(if possible) over JSSE.