Generate and Configure SSL Certificates in Spring Boot with JDK Keytool & FreeSSL

Using JDK's Built‑in Tool to Generate a Certificate

1. Ensure JDK is installed and the environment variables are correctly configured.

2. Navigate to the bin directory under your JAVA_HOME path.

3. Execute the following command to generate a PKCS12 keystore:

// keytool -genkey -alias <alias> -dname "CN=Name,OU=OrgUnit,O=Org,L=City,ST=Province,C=Country" -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 365

4. Place the generated keystore.p12 file into the resources directory and add the following configuration to application.properties or application.yml:

# HTTPS port
server.port=443
# Path to the certificate
server.ssl.key-store=classpath:keystore.p12
# Certificate password (replace with your own)
server.ssl.key-store-password=123456
# Keystore type
server.ssl.keyStoreType=PKCS12
# Certificate alias (optional)
# server.ssl.keyAlias=uublog

If you use a port other than 443, include the specific port number in the URL when accessing the service.

Redirect HTTP to HTTPS

package com.lhc.uublog.utils;

import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SSLUtils {
    @Bean
    public Connector connector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        connector.setSecure(false);
        connector.setPort(80);
        connector.setRedirectPort(443);
        return connector;
    }

    @Bean
    public TomcatServletWebServerFactory tomcatServletWebServerFactory(Connector connector) {
        TomcatServletWebServerFactory webServerFactory = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection securityCollection = new SecurityCollection();
                securityCollection.addPattern("/*");
                securityConstraint.addCollection(securityCollection);
                context.addConstraint(securityConstraint);
            }
        };
        webServerFactory.addAdditionalTomcatConnectors(connector);
        return webServerFactory;
    }
}

5. Deploy the application. On Windows you can start it directly; on Linux ensure that port 443 is open before deployment:

# Check if port 443 is open
firewall-cmd --query-port=443/tcp
# If not open, add the rule and reload
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

Using a FreeSSL Certificate

FreeSSL.cn provides free HTTPS certificates. After obtaining a domain (e.g., from GoDaddy), follow the site’s instructions to generate and download the certificate.

Place the downloaded certificate (e.g., a .jks file) into the resources directory and add the following configuration:

# HTTPS port
server.port=443
# Path to the certificate
server.ssl.key-store=classpath:yourcert.jks
# Certificate password (replace with your own)
server.ssl.key-store-password=***
# Keystore type
server.ssl.keyStoreType=JKS

Use the same HTTP‑to‑HTTPS redirect code shown earlier, then package and deploy the application.

Spring Boot version: 2.0.4.RELEASE