This repository basically forks all the ground work that was done in https://github.com/jonashackt/spring-boot-rest-clientcertificate. This is a basic example, where the client certificate secured server is a Spring Boot Application and the client is just a Testcase that uses Spring´s RestTemplate which is configured to use the client certificate.
In contrast the present project focusses on the configuration of more than one client certificates and how to access REST endpoints from multiple servers that are secured by different client certificates with Spring´s RestTemplate.
Therefore we use several Spring Boot based microservices that provide different client certificate secured REST endpoint and a separate microservice that accesses these services:
================
= =
= server-alice =
============== = =
= = ------------------> ================
= client-bob =
= = ------------------> ================
============== = =
= server-tom =
= =
================
For a general approach on how to generate private keys and certificates and create Java Keystores, have a look into https://github.com/jonashackt/spring-boot-rest-clientcertificate#generate-the-usual-key-and-crt---and-import-them-into-needed-keystore-jks-files
server-alice keys and client certificate, truststore & keystore (see /server-alice/src/main/resources)
openssl genrsa -des3 -out aliceprivate.key 128
- passphrase
alicepassword
openssl req -new -key aliceprivate.key -out alice.csr
Common Name: server-alice, which will later be a DNS alias inside the Docker network
openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt
4. Java Truststore Keystore, that inherits the generated self-signed Certificate: alice-truststore.jks
keytool -import -file alice.crt -alias alicesCA -keystore alice-truststore.jks
the same password alicepassword
openssl pkcs12 -export -in alice.crt -inkey aliceprivate.key -certfile alice.crt -name "alicecert" -out alice-keystore.p12
the same password alicepassword
openssl genrsa -des3 -out tomprivate.key 1024
- passphrase
tompassword
openssl req -new -key tomprivate.key -out tom.csr
Common Name: server-tom, which will later be a DNS alias inside the Docker network
openssl x509 -req -days 3650 -in tom.csr -signkey tomprivate.key -out tom.crt
4. Java Truststore Keystore, that inherits the generated self-signed Certificate: tom-truststore.jks
keytool -import -file tom.crt -alias tomsCA -keystore tom-truststore.jks
the same password tompassword
openssl pkcs12 -export -in tom.crt -inkey tomprivate.key -certfile tom.crt -name "tomcert" -out tom-keystore.p12
the same password tompassword
1. Java Truststore Keystore, that inherits the generated self-signed Certificate: client-truststore.jks
keytool -import -file alice.crt -alias alicesCA -keystore client-truststore.jks
keytool -import -file tom.crt -alias tomsCA -keystore client-truststore.jks
password bobpassword
In KeyStore Explorer this should look like this:
Openssl CLI sadly doesn´t support importing multiple certificate files... But we can concatenate them:
cat alice.crt tom.crt > allcerts.pem
cat aliceprivate.key tomprivate.key > allkeys.pem
Then we can do:
openssl pkcs12 -export -in allcerts.pem -inkey allkeys.pem -certfile allcerts.pem -name "alicecert" -out client-keystore.p12
the same password bobpassword
If you want to check everything worked fine in KeyStoreExplorer, you have to convert the .p12 file into a .jks, otherwise the tool will bring up a nasty exception:
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -destkeystore client-keystore.jks -deststoretype JKS
The result should look like this:
