Sample App Self-Signed SSL Creation

This guide aims to help the user manually create the self-signed SSL and configure it in the sample app.

Configure SSL for the sample app

• If you already have public SSL certificates, go to SSL Configuration.

Self-signed SSL

Generate Certificates

• Install OpenSSL and generate certificates.
• Download OpenSSL from https://sourceforge.net/projects/openssl/files/openssl-1.0.2j-fips-x86_64/openssl-1.0.2j-fips-x86_64.zip/download and download.

  Alternatively, you can use Git command line tools from https://git-scm.com/downloads, which contains the OpenSSL library.

• Create a new variable named “OPENSSL_CONF” and set the value as <DOWNLOAD_PATH>\OpenSSL\bin\openssl.cnf.
• Set <DOWNLOAD_PATH>\OpenSSL\bin into system PATH environment variable.
• Create a file named domains.ext and add the below content to the file.

authorityKeyIdentifier = keyid, issuer 
basicConstraints = CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
subjectAltName = @alt_names 
[alt_names] 
DNS.1 = localhost 
DNS.2 = identitydemo.acmeinc.com

• Open command prompt and type openssl and hit enter.
• Run the following commands to generate certificates.

openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=AcmeInc"
 
 openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
 
 set RANDFILE=.rnd # Only for windows

 openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=COUNTRY/ST=STATE/L=Location/O=Example-Certificates/CN=identitydemo.acmeinc.com"
 
 openssl x509 -req -sha256 -days 1024 -in server.csr -CA RootCA.pem -CAkey RootCA.key  -CAcreateserial -extfile "domains.ext" -out server.crt
 
 openssl pkcs12 -export -out sslkeystore.p12 -inkey server.key -in server.crt -name sampleapp -passout pass:"<PASSWORD>"

Install certificates   

1. Install RootCA.crt certificate.
2. Double click on the certificate and click on Install certificate.

3. On Windows, select Local Machine and proceed.
   a. On Windows, select 'Trusted Root Certification Authorities' as shown in the below image. 

4. On MacOS, select "System"

5. Repeat steps 2-4 to install the server.crt certificate.

DNS Aliasing

• Make an entry in hosts.

  On Windows, edit [C:\Windows\System32\drivers\etc\hosts] file.
  On *nix (Linux/ Mac) systems, edit /etc/hosts file.

127.0.0.1 identitydemo.acmeinc.com

SSL Configuration

This section is applicable for both Self Signed SSL and Public SSL certificates.

• Copy the .p12 file (generated in this step and place it under resources folder .\Spring-boot\src\main\resources
• Create a new folder named ssl under the angular project. .\angular
• Now move server.crt and server.key files (generated in this step to ssl folder under angular project.
• If you have any existing .crt and .key files, rename them to server.crt and server.key.

Update the configuration file in the sample app

Update application.yml file

• Update placeholder values in application.yml file located at identity-demo-angular/spring-boot/src/main/resources/application.yml
  • server.ssl.key-alias - Key alias name used at the time of key creation.
  • server.ssl.key-store - Mention key store value as classpath:sslkeystore.p12.
  • server.ssl.key-store-password - Mention the key store password entered while exporting the key.