Web应用程序的Springboot和Comodo https配置

时间:2018-06-29 17:53:09

标签: spring-boot ssl

我是https配置的新手,并尝试与Comodo SSL一起配置spring-boot。

打完几次电话后,我想出了如何为您的spring-boot网站正确配置https。

下面的答案是详细步骤。希望它可以帮助人们生成更安全的网站或服务。

1 个答案:

答案 0 :(得分:0)

Spring boot和COMODO HTTPS配置

1. Purchase a Comodo plan, such as a Wildcard
2. Generate CSR(certificate signing request) from one of your servers
   on AWS. 
   a. keytool -genkey -keyalg RSA -keysize 2048 -dname "CN=www.yourdomain.com, O=Default, C=US" -keystore domain.keystore
      Notes: If you purchased a Wildcard please put CN=*.yourdomain.com
      notes: you have to set a password right here, please remember it.
   b. keytool -certreq -keyalg RSA -file domain.csr -keystore domain.keystore
      Notes: The domain.csr is your generated CSR, you have to copy and paste it into the field that Comodo requires.
3. Comodo will send a link to admin@yourdomain.com, you have to verify it to pass DCV.
4. After you finish step 2 and 3, you will receive 4 CRT files by email and you need to add these 4 CRTs into you existed domain.keystore.
5. Install
   keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore
   keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file COMODORSAAddTrustCA.crt -keystore domain.keystore
   keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore domain.keystore
   keytool -import -trustcacerts -alias mykey -file STAR_domain_com.crt -keystore domain.keystore

   Notes: You have to set -alias to "mykey" if you didn't set an alias in the CSR generation.
   Notes: After you have done these imports, you may receive a message: "Certificate reply was installed in keystore", which
   indicate that you have successfully installed the keystore.
   Notes: If you keep receiving a warning says: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 
          which is an industry standard format using "keytool -importkeystore -srckeystore domain.keystore -destkeystore domain.keystore -deststoretype pkcs12".
          You could run the recommanded command after the imports and convert the keystore to pkcs12 format. It is not neccessary.

6. Config Spring-boot
   a. Write a configuration file in your SpringBoot project for redirect
       @Configuration
       public class HttpsConfig {

           @Bean
           public TomcatServletWebServerFactory servletContainer() {
               TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory(){
                   @Override
                   protected void postProcessContext(Context context){
                       SecurityConstraint securityConstraint = new SecurityConstraint();
                       securityConstraint.setUserConstraint("CONFIDENTIAL");
                       SecurityCollection collection = new SecurityCollection();
                       collection.addPattern("/*");
                       securityConstraint.addCollection(collection);
                       context.addConstraint(securityConstraint);

                   }
               };
               tomcat.addAdditionalTomcatConnectors(createHttpConnector());
               return tomcat;
           }

           private Connector createHttpConnector() {
               Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
               connector.setScheme("http");
               connector.setSecure(false);
               connector.setPort(1234);
               connector.setRedirectPort(5678);
               return connector;
           }
       }
   b. In application.properties, turn on https support
       server.port: 5678
       security.require-ssl=true
       server.ssl.key-store=classpath:domain.keystore
       server.ssl.key-store-password=abc12345