Reputation: 12871
Self-Signed Certificates in Spring-Boot
I'm trying to get a Spring-Boot server up and running, which provides some security via SSL. I followed steps 1 and 2 of this guide to get a self-signed certificate and am able to access my site via https. The application.properties looks like this:
server.port=8443
server.ssl.keyStore=classpath:keystore.p12
server.ssl.keyStorePassword=youd_want_to_know
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=hs
keystore.p12 was generated with
$ keytool -genkey -alias hs -storetype PKCS12 \
-keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
Except for the password I didn't enter anything, all fields are "Unknown".
However, the lock in the browser isn't green. The detail message says
There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
The plus-side:
Secure TLS connection
The connection to this site is using a strong protocol version and cipher suite.
Secure Resources
All resources on this page are served securely.
I guess in plain text it means that the data is transported securely, but the browser isn't fully happy with the certificate in terms of it can't track the authenticity. Therefore, I understand that this isn't worthy for production (and for now it doesn't need to be).
But, is it safe and secure for me since I own the server and know that I created the self-signed certificate myself? Or are there ways to turn this into a certificate that the browser is happy with? What do I need to do to make that work and what would the Sprint-Boot configuration look like?
Upvotes: 5
Views: 7624
Answers (3)
Reputation: 16555
In a Nutshell, Using a self signed certificate is completely unsafe unless
- you control every machine between you and the server OR
- you check that the keys in the certificate are what you expect them to be.
Only advantage is; it will block passive attacks (the attacker observes the data but does not alter it in any way) regardless of whether the CA certificate was issued by a mainstream CA or not.
Take a look here https://security.stackexchange.com/a/8112
Upvotes: 1
Reputation: 1726
In this case the communication between browser and server is still vulnerable to man-in-the-middle attack, so this not really "secure & safe"
Upvotes: 1
Reputation: 303
Thats how the browser is supposed to behave. As long as you (or rather, browsers you or your organization owns) are the only consumers of your website, you are fine. But once you want to on-board other consumers you might need to get your certificate signed by a certificate provider
Upvotes: 3
Related Questions
- How to implement SSL with Self Signed Certificates on Spring Boot against Elasticsearch deployed at Openshift (a cloud-based Kubernetes)
- Ignoring self-signed certificates in SpringBoot using RestTemplate
- Enable HTTPS with self-signed certificate in Spring Boot 2.0
- Self-signed certificate on spring security oauth2 client provider issuer-uri
- spring boot to enable SSL with certificate from the authority
- spring boot https with valid cert get ERR_SSL_VERSION_OR_CIPHER_MISMATCH, self signed works fine
- SSL Certificate in Spring Boot
- Spring Boot causes SSL peer handshake failure with self-signed certs
- Deploying Spring Boot app using Self-Signed Certificate (incl. intermediate CA)
- Spring Boot - client server REST API with self-signed certificate