This topic describes how to install an SSL certificate on a Spring Boot-based web application, including downloading and uploading a certificate file, configuring related parameters on the Spring Boot-based web application, and verifying the installation result. The parameters are related to the certificate file, certificate chain, and password file. After the certificate is installed, you can access the Spring Boot-based web application over HTTPS, which ensures the security of data transmission.
Prerequisites
A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.
If your certificate uses the SM2 algorithm, you cannot install the certificate on Spring Boot-based web applications. You must revoke the certificate and apply for a new certificate that uses the Rivest-Shamir-Adleman (RSA) or Elliptic Curve Cryptography (ECC) algorithm. For more information about how to revoke a certificate and apply for a certificate, see Revoke an SSL certificate and Submit a certificate application.
Step 1: Download the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, click SSL Certificates.
On the SSL Certificates page, find the certificate that you want to manage and click Download in the Actions column.
Find JKS in the Server Type column and click Download in the Actions column.
NoteYou can install a certificate in the PFX or JKS format on Spring Boot-based web applications. In this example, a JKS certificate is used. If you want to install a PFX certificate, download a certificate in the PFX format.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.
Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the JKS format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.
Password file in the TXT format: By default, the password file is named in the Certificate format-password format.
ImportantA new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.
If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on a Spring Boot-based web application
Upload the extracted certificate and password files to the root directory
src/main/resources/of your Spring Boot project.NoteIf you have modified the directory of the Spring Boot project, you must copy the certificate and password files to the directory in which the configuration file
application.propertiesorapplication.ymlis stored.You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.
Configure the
application.propertiesorapplication.ymlfile based on the following descriptions:application.propertiesserver.port = 443 # Specify the default HTTPS port 443. You can change the port based on your business requirements. server.ssl.key-store = classpath:domain_name.jks # Replace domain_name.jks with the name of your certificate file. server.ssl.key-store-password = ******** # Enter the password that is contained in the jks-password.txt file. server.ssl.keyStoreType = JKS # Set the certificate keystore type to JKS. The certificate keystore type for a PFX certificate is PKCS12.application.ymlserver: port: 443 # Specify the default HTTPS port 443. You can change the port based on your business requirements. ssl: key-store-password: ******** # Enter the password that is contained in the jks-password.txt file. key-store-type: JKS # Set the certificate keystore type to JKS. The certificate keystore type for a PFX certificate is PKCS12. key-store: classpath:domain_name.jks # Replace domain_name.jks with the name of your certificate file.
Go to the root directory of the Spring Boot project and run the following commands to restart the Spring Boot project:
Maven
mvn spring-boot:runGradle
gradle bootrun
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.