All Products
Search

This Product

    Certificate Management Service:Install an SSL certificate on a Spring Boot application (Linux)

    Document Center

    Certificate Management Service:Install an SSL certificate on a Spring Boot application (Linux)

    Last Updated:Mar 31, 2026

    This guide shows how to enable HTTPS in a Spring Boot application by configuring an SSL certificate directly in its embedded server.

    Prerequisites

    Before you begin, make sure you have:

    • A valid SSL certificate issued by a trusted certificate authority. If the certificate is expiring or has already expired, renew it first.

    • A certificate that covers your domain names. To add or change domain names, purchase a commercial certificate or append and replace domain names.

      To secure multi-level subdomains, the Bound Domains field must contain the exact domain (e.g., a.b.example.com) or the corresponding wildcard (e.g., *.b.example.com).
      Domain name typeCoverage
      Exact-match (example.com)Only example.com
      Exact-match (www.example.com)Only www.example.com
      Wildcard (*.example.com)First-level subdomains: www.example.com, a.example.comnot the root domain example.com or multi-level subdomains like a.b.example.com

    • Server access: a root account or one with sudo privileges.

    • DNS configured: the domain's DNS record resolves to the server's public IP address.

    • Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.

    • Java 8 or later installed on the server.

    Files required:

    FileDescription
    Certificate filedomain.p12 (PKCS12 format) or domain.jks (JKS format), downloaded from Certificate Management Service
    Password filep12-password.txt — contains the keystore password

    Step 1: Prepare the certificate files

    1. Go to the Certificate Management Service console. In the Actions column of the target certificate, click Download Certificate. On the Download tab, select JKS as the server type and download the certificate file.

      Spring Boot supports JKS and PKCS12 (.pfx) formats. This guide uses PKCS12 as the example. After extracting the downloaded file, you get a certificate file (e.g., domain.p12) and a password file (p12-password.txt).

    2. Upload the certificate file (.pfx or .jks) and password file (.txt) to the server. Store them in a secure directory outside the application, such as /etc/ssl/myapp. To upload files, use the file transfer feature of your remote login tool (PuTTY, Xshell, or WinSCP). If your server runs on Alibaba Cloud Elastic Compute Service (ECS), see Upload or download files.

      Important

      Do not place certificate or private key files in the src/main/resources directory. Doing so packages sensitive keys into application artifacts (JAR or WAR files) and risks key leakage.

    Step 2: Configure the Spring Boot application

    Note

    Do not hard-code sensitive information such as certificate passwords in configuration files. Use environment variables or an external secrets manager instead.

    1. Set environment variables for the certificate passwords:

      # Get the password from the password file you downloaded earlier.
export SSL_KEYSTORE_PASSWORD='your_secure_password'
# If the private key password differs from the keystore password, set it as well.
export SSL_KEY_PASSWORD='your_key_password'

    2. Configure SSL in your application.properties or application.yml file. This guide uses Spring Boot 3.4.10 as the example.

      application.properties

      # Listen on port 443
server.port=443

# --- SSL configuration ---
# Path to the certificate file. Use the 'file:' prefix to specify an external absolute path.
server.ssl.key-store=file:/etc/myapp/ssl/keystore.p12
# Type of the certificate keystore.
server.ssl.key-store-type=PKCS12
# Certificate alias, which is usually specified when generating the JKS/P12 file.
server.ssl.key-alias=mycert

# --- Password management ---
# Read the password from an environment variable to avoid hard-coding it in the configuration file.
server.ssl.key-store-password=${SSL_KEYSTORE_PASSWORD}
# If the private key password differs from the keystore password, read it from an environment variable as well.
server.ssl.key-password=${SSL_KEY_PASSWORD}

# --- TLS protocols and cipher suites ---
# Enable secure TLS protocol versions.
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3
# Configure recommended strong cipher suites.
server.ssl.ciphers=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256

# Enable HTTP/2 to improve performance.
server.http2.enabled=true

      application.yml

      server:
  port: 443 # Listen on port 443

  ssl:
    # --- SSL configuration ---
    # Path to the certificate file. Use the 'file:' prefix to specify an external absolute path.
    key-store: file:/etc/myapp/ssl/keystore.p12
    # Type of the certificate keystore.
    key-store-type: PKCS12
    # Certificate alias, which is usually specified when generating the JKS/P12 file.
    key-alias: mycert

    # --- Password management ---
    # Read the password from an environment variable to avoid hard-coding it in the configuration file.
    key-store-password: ${SSL_KEYSTORE_PASSWORD}
    # If the private key password differs from the keystore password, read it from an environment variable as well.
    key-password: ${SSL_KEY_PASSWORD}

    # --- TLS protocols and cipher suites ---
    # Enable secure TLS protocol versions.
    enabled-protocols: TLSv1.2,TLSv1.3
    # Configure recommended strong cipher suites.
    ciphers:
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256
      - TLS_AES_128_GCM_SHA256
      - ECDHE-RSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES128-GCM-SHA256

  # Enable HTTP/2 to improve performance.
  http2:
    enabled: true

    Step 3: Open port 443

    Make sure both the system firewall and the cloud security group allow inbound traffic on TCP port 443.

    Check whether port 443 is already open

    Run the following command for your Linux distribution:

    RHEL/CentOS

    command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

    If the output is Ncat: Connected to <your_server_public_ip>:443, port 443 is already open.

    Debian/Ubuntu

    command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

    If the output is Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is already open.

    If port 443 is closed, complete the steps below.

    Open port 443 in the security group

    Important

    If your server runs on a cloud platform, the security group must allow inbound TCP traffic on port 443. The following steps use Alibaba Cloud ECS as an example. For other platforms, refer to their documentation.

    Go to the Elastic Compute Service (ECS) instances page and click the target instance name. In the Security Group Details section, add a security group rule. For detailed instructions, see Add a security group rule. Set the rule as follows:

    • Action: Allow

    • Protocol: Custom TCP

    • Destination (current instance): HTTPS (443)

    • Source: 0.0.0.0/0 (anywhere)

    Open port 443 in the system firewall

    Run the following command to identify which firewall service is active:

    if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

    If the output is none, no further action is needed. Otherwise, run the corresponding command:

    firewalld

    sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

    ufw

    sudo ufw allow 443/tcp

    nftables

    sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

    iptables

    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    To persist the iptables rules across reboots:

    • RHEL/CentOS:

      sudo yum install -y iptables-services
sudo service iptables save

    • Debian/Ubuntu:

      sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

    Step 4: Start or restart the application

    Go to the root directory of your Spring Boot project and run the appropriate command for your build tool and environment.

    Development and test (build plugins)

    • Maven:

      mvn spring-boot:run

    • Gradle:

      gradle bootRun

    Production (standalone JAR)

    In production, package and run the application as a .jar file. Stop the running process before restarting:

    # 1. Find and stop the running process.
# ps -ef | grep your-app-name.jar
# kill <PID>
#
# 2. Restart the application. Add any JVM arguments before '&'.
nohup java -jar /path/to/your-app-name.jar &
    After restarting, check the application logs to confirm the service loaded the SSL certificate and started on the HTTPS port.

    Step 5: Verify the deployment

    1. Open a browser and navigate to https://yourdomain, replacing yourdomain with your actual domain.

    2. If the certificate is deployed correctly, a security indicator appears in the address bar. If you see access errors or the indicator is missing, clear the browser cache or try incognito mode.

    image

    Starting from version 117, the image icon in the Chrome address bar has been replaced with a new image icon. Click this icon to view the certificate details.

    If the issue persists, see the FAQ section for troubleshooting guidance.

    Going live

    Before exposing the application in production, apply these best practices:

    • Run as a non-administrator user. Create a dedicated, low-privilege system user for the application. Never run with administrator-level accounts.

      For large-scale production deployments, configure SSL at the gateway layer instead — deploy the certificate on a Server Load Balancer (SLB) or a reverse proxy such as Nginx. The gateway terminates HTTPS traffic and forwards decrypted HTTP traffic to the backend application.

    • Externalize credential management. Never hard-code passwords or other sensitive information in code or configuration files. Inject credentials via environment variables, Vault, or a cloud key management service.

    • Redirect HTTP to HTTPS. Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.

    • Use only modern TLS protocols. Disable SSLv3, TLSv1.0, and TLSv1.1. Enable only TLSv1.2 and TLSv1.3.

    • Monitor certificates and automate renewal. After deploying, enable domain monitoring. Certificate Management Service automatically checks certificate validity and sends renewal reminders before expiration. For setup instructions, see Purchase and enable public domain name monitoring.

    FAQ

    Why is HTTPS inaccessible or the certificate not working after installation?

    Check the following in order:

    • Port 443 blocked. The security group or firewall does not allow inbound traffic on port 443. See Step 3: Open port 443.

    • Domain mismatch. The domain you're accessing is not listed in the certificate's Bound Domains. See the domain matching rules in Prerequisites.

    • Application not restarted. The Spring Boot service was not restarted after modifying the configuration file. See Step 4: Start or restart the application.

    • Incorrect certificate configuration. The certificate files were not replaced correctly, or the path in the Spring Boot configuration is wrong. Verify that both the configuration file and the certificate file are current and valid.

    • Certificate missing on upstream services. If your domain uses a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services.

    • Incomplete multi-server deployment. If your domain resolves to multiple servers, the certificate must be installed on all of them.

    For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

    How do I update or replace an SSL certificate in a Spring Boot application?

    1. Back up old files. Back up the existing certificate and password files on the server.

    2. Download new files. Get the new certificate and private key files from the Certificate Management Service console.

    3. Replace files. Upload the new files to the server, overwriting the old ones. The new files must use the exact same path and filename as specified in your Spring Boot configuration.

    4. Restart the application. Restart Spring Boot to apply the new certificate.