Last active
August 29, 2021 12:33
-
-
Save giner/e89a09b6afcfb91ab56e8ccc79978e7d to your computer and use it in GitHub Desktop.
Java: Enable client side mTLS without modifying application
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Notes: | |
| # - option javax.net.ssl.trustStore replaces default java truststore | |
| # i.e. TLS connections other than mTLS won't be possible unless | |
| # the new truststore contains Common CA certificates | |
| # - The custom CA certificate from truststore.pkcs12 will be used by | |
| # all TLS connections initiated from the app. Make sure you can | |
| # fully trust this CA in your specific case. | |
| # - Generation of the keystores is not a part of this snippet and can | |
| # be easily found on other resources | |
| # | |
| # client.pkcs12 contains: | |
| # - client certificate | |
| # - client private key | |
| # | |
| # truststore.pkcs12 contains: | |
| # - CA certificate | |
| java -Djavax.net.ssl.keyStore=/path/to/client.pkcs12 \ | |
| -Djavax.net.ssl.keyStorePassword="<keystorepass>" \ | |
| -Djavax.net.ssl.trustStore=/path/to/truststore.pkcs12 \ | |
| -Djavax.net.ssl.trustStorePassword="<truststorepass>" \ | |
| -jar your-java-app.jar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment