SoFunction
Updated on 2025-04-05

Springboot implements TLS bidirectional authentication method

keytoolIt is a Java-owned tool suitable for use with JKS keystores and truststores.

1. Generate a self-signed CA certificate

Generate CA key pairs and self-signed certificates

keytool -genkeypair -alias my-ca -keyalg RSA -keysize 2048 -validity 3650 -keystore -storepass changeit -keypass changeit -dname "CN=My CA, OU=My Organization, O=My Company, L=My City, ST=My State, C=US" -ext bc:c

  • -alias my-ca: The alias for the CA certificate.
  • -keystore : The generated keystore file (including CA key pair and certificate).
  • -storepassand-keypass: Password for the keystore and key.
  • -dname: Distinguished Name (DN) of the certificate.
  • -ext bc:c: Mark the certificate as a CA certificate.

Export CA certificate

keytool -exportcert -alias my-ca -keystore  -storepass changeit -file

-file : Exported CA certificate file.

2. Use CA to issue server certificates

Generate server key pair

keytool -genkeypair -alias server -keyalg RSA -keysize 2048 -validity 365 -keystore -storepass changeit -keypass changeit -dname "CN=, OU=My Organization, O=My Company, L=My City, ST=My State, C=US"

  • -alias server: The alias of the server certificate.
  • -keystore : The generated server keystore file.

Generate a certificate signing request (CSR)

keytool -certreq -alias server -keystore -storepass changeit -file

  • -file : The generated CSR file.

Issuing server certificates using CA

keytool -gencert -alias my-ca -infile -outfile -keystore -storepass changeit -validity 365 -ext SAN=dns:

  • -infile : The entered CSR file.
  • -outfile : The server certificate file issued.
  • -ext SAN=dns:: Optional, add Subject Alternative Name (SAN).

Import CA certificates and server certificates into the server keystore

keytool -importcert -alias my-ca -file  -keystore  -storepass changeit -noprompt
keytool -importcert -alias server -file  -keystore  -storepass changeit

Import the CA certificate first, and then import the issued server certificate.

Issuing client certificates using CA

Generate client key pairs

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore -storepass changeit -keypass changeit -dname "CN=, OU=My Organization, O=My Company, L=My City, ST=My State, C=US"

  • -alias client: The alias of the client certificate.
  • -keystore : The generated client keystore file.

Generate a certificate signing request (CSR)

keytool -certreq -alias client -keystore  -storepass changeit -file
  • -file : The generated CSR file.

Issuing client certificates using CA

keytool -gencert -alias my-ca -infile  -outfile  -keystore  -storepass changeit -validity 365
  • -infile : The entered CSR file.
  • -outfile : The issued client certificate file.

Import CA certificates and client certificates into the client keystore

keytool -importcert -alias my-ca -file  -keystore  -storepass changeit -noprompt
keytool -importcert -alias client -file  -keystore  -storepass changeit

Import the CA certificate first, and then import the issued client certificate.

4. Configure the trust bank

Create a truststore and import a CA certificate

keytool -importcert -alias my-ca -file  -keystore  -storepass changeit -noprompt
  • -keystore : The generated truststore file.

5. Configure the server and client

1. Server configuration

Configure in Spring Boot:

server:
  ssl:
    key-store: classpath:
    key-store-password: changeit
    key-alias: server
    trust-store: classpath:
    trust-store-password: changeit
    client-auth: need # Require the client to provide a certificate

2. Client configuration

Configure in Java:

SSLContext sslContext = ()
        .loadKeyMaterial((""), "changeit".toCharArray(), "changeit".toCharArray())
        .loadTrustMaterial((""), "changeit".toCharArray())
        .build();
HttpClient client = ()
        .setSSLContext(sslContext)
        .build();

6. Summary

  • usekeytoolCan be completely replacedopenssl, generate and manage self-signed CA certificates, server certificates, and client certificates.
  • Just add the CA certificate to the truststore () to verify all certificates issued by the CA.
  • This approach is suitable for the Java ecosystem, especially in scenarios where JKS keystores and truststores are used.

This is the end of this article about Springboot implementing TLS two-way authentication. For more related Springboot TLS two-way authentication content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!