How to Secure Your Spring Boot Application with HTTPS: A Step‑by‑Step Guide

Configure SSL

Spring Boot can serve HTTPS using either a CA‑issued certificate or a self‑signed certificate generated for testing. The keystore must contain the private key and the certificate.

Generate a self‑signed certificate

Use the JDK keytool utility. Two common keystore types are JKS (Java‑specific) and PKCS12 (industry standard).

keytool -genkeypair -alias serverKeyStore -keyalg RSA -keysize 4096 \
    -storetype JKS -keystore serverKeyStore.jks -validity 3650 \
    -storepass password

For a PKCS12 keystore:

keytool -genkeypair -alias serverKeyStore -keyalg RSA -keysize 4096 \
    -storetype PKCS12 -keystore serverKeyStore.p12 -validity 3650 \
    -storepass password

The command prompts for distinguished‑name fields; pressing Enter accepts defaults. After execution you obtain serverKeyStore.jks or serverKeyStore.p12 containing the private key and the self‑signed certificate.

Verify keystore contents

keytool -list -v -keystore serverKeyStore.jks

keytool -list -v -keystore serverKeyStore.p12

Convert JKS to PKCS12 (optional)

keytool -importkeystore -srckeystore serverKeyStore.jks \
    -destkeystore serverKeyStore.p12 -deststoretype PKCS12

Import an existing CA‑issued certificate

If you already have a certificate (e.g., from Let’s Encrypt), import it into a new PKCS12 keystore:

keytool -import -alias serverKeyStore -file myCrt.crt \
    -keystore serverKeyStore.p12 -storepass password

Enable HTTPS in Spring Boot

Place the keystore file in src/main/resources (or the project root) and add the following properties to application.yml (or application.properties):

server:
  ssl:
    key-store: classpath:serverKeyStore.p12
    key-store-password: password
    key-store-type: pkcs12
    key-alias: serverKeyStore
    key-password: password
  port: 8443

Key properties: server.port – HTTPS listening port (default 8443 instead of 8080). server.ssl.key-store – classpath location of the keystore. server.ssl.key-store-password – password to open the keystore. server.ssl.key-store-type – JKS or PKCS12. server.ssl.key-alias – alias of the key entry. server.ssl.key-password – password for the private key (often same as keystore password).

Redirect HTTP to HTTPS with Spring Security

Create a security configuration that forces every request to use HTTPS while permitting all users (useful for testing):

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
            .requiresChannel(channel -> channel.anyRequest().requiresSecure())
            .authorizeRequests(auth -> auth.anyRequest().permitAll())
            .build();
    }
}

Add an additional HTTP connector (Tomcat)

If you need both HTTP and HTTPS ports, define a Tomcat bean that adds an HTTP connector and redirects it to HTTPS:

@Configuration
public class ServerConfig {
    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint constraint = new SecurityConstraint();
                constraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                constraint.addCollection(collection);
                context.addConstraint(constraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(getHttpConnector());
        return tomcat;
    }

    private Connector getHttpConnector() {
        Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}

Export and distribute the certificate

Export the public certificate from the keystore

keytool -export -keystore serverKeyStore.p12 -alias serverKeyStore -file server.crt

Import the certificate into a client trust store

For a JRE trust store ( cacerts) create a new keystore or add to an existing one:

keytool -importcert -file server.crt -alias clientTrustStore -keystore clientTrustStore.jks

The default JRE trust‑store password is usually changeit or changeme. Confirm trust when prompted.

Browser trust configuration

On macOS import the certificate into Keychain Access. In Firefox, Brave or other browsers add a security exception for https://localhost:8443 or enable the allow‑insecure‑localhost flag.

Reference implementation

The complete example project, including the above configuration files and Java classes, is available on GitHub (e.g., https://github.com/your-repo/spring-boot-https-demo).

For production use replace the self‑signed keystore with a certificate issued by a trusted CA and consider integrating authentication/authorization solutions such as Keycloak.