3

I have a Spring Boot web project, I'm trying to set up SSL with a certificate provided by my employer.

The PFX file is currently working fine to achieve SSL on stand-alone Tomcat with the following config:

 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" keystoreFile="server.pfx" keystoreType="PKCS12" keystorePass="secret" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" />

In Spring Boot, with the embedded Tomcat I use the following application.properties:

server.port=8088 security.require-ssl=true server.ssl.enabled=true server.ssl.key-password=secret server.ssl.key-store=classpath:server.pfx server.ssl.key-store-provider=SUN server.ssl.key-store-type=PKCS12 server.ssl.key-alias=1

when I start the project, I get the error message

Caused by: java.io.IOException: Failed to load keystore type [PKCS12] with path [file:/Users/user/workspace/tracking/target/classes/server.pfx] due to [PKCS12 not found]

the command keytool -list -keystore /Users/user/workspace/tracking/target/classes/server.pfx'

returns

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

1, 15-Mar-2018, PrivateKeyEntry, Certificate fingerprint (SHA1): F8:A0:CF:A6:AF:B4:ED:53:A0:79:25:03:04:D9:79:F0:FC:B2:49:DF

is there a different value I should be using for server.ssl.key-store-type?

UPDATE

I also tried changing to server.ssl.key-store-type=JKS but then I get:

IllegalArgumentException: Private key must be accompanied by certificate chain

Is there a way around either of these problems?

Improve this question
6
  • Are you sure you are using the same server.pfx file? keystoreType = "PKCS12" should return an error if the type is JKS. It looks like the file Spring Boot is loading is a copy that only imported the private key but not the CA certificates. Commented Mar 15, 2018 at 12:37
  • thanks for the comment, but it's definitely a copy of the same file Commented Mar 15, 2018 at 22:06
  • Did you find a solution to that problem? Commented May 29, 2018 at 14:38
  • 1
    A private key has to be either self signed, or accompanied by a certificate change, which you get, if a Certificate Authority is signing your Certificate Signing Request. This you can import (with the same alias as your private key) into your keystore, and then have the full monty. The self-signed certificate is created by java's keytool, if you say -genkeypair Commented Jun 20, 2018 at 15:11
  • 1
    Late but: KeyStore PKCS12 was (and still is) in provider SunJSSE not SUN -- that's why you got not-found. You're generally better off not specifying the provider and letting JCA find it. @MarcoA.Hernandez+ however since 8u60 in 2015 a 'compatibility' feature allows the KeyStore JKS implementation to read PKCS12 as well -- and Java 8 keytool misleadingly lists it as type: JKS just as you posted. Thus specifying JKS should have worked if keytool (from the same version?) did. I doubt you still have the problem, but if you do with a keystore you can share I'd be interested to look. Commented Oct 5, 2024 at 20:15

1 Answer 1

Reset to default
0

It's too late for the party, but I faced a similar issue. I tried to add Bouncy Castle's keystore to my Spring's app: server.ssl.key-store-type=BCFKS and my app always switched back to PKCS12 for some reason.

I fixed it by changing properties name:

instead of server.ssl.key-store-type=BCFKS

I added server.ssl.keyStoreType=BCFKS

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.