Using your SSL certificate for your Spark web application

Posted on Thu 09 March 2017 in Web Development, Sysadmin

I've fallen in love with Spark recently. Being unexperienced with web development, I stumbled upon Spark when I was looking for a small framework for setting up a simple web application based on Java. My learning curve has been steep and my first website (consisting of nothing but a simple form) is running smoothly.

One issue I had to deal with was using my domain's SSL certificate (proudly sponsored by Let's Encrypt) for the integrated web server that comes with Spark. As you can read here, a keystore and a password need to be specified in order to achieve this.

Alright, nothing easier than coming up with a password, but how do I set up a Java keystore (.JKS) that uses my certificate? A quick Startpage search directed me to Maximilian Böhm's tutorial on JKS and Let's Encrypt certificates.
I could skip step 1 as I had created and installed my certificates already. For step 2, I needed to locate the directory in which my Plesk installation stored the fullchain.pem and privkey.pem files. I found them in:

/opt/psa/var/modules/letsencrypt/etc/live/mydomain.com/

I copied them to a temp directory to make things easier, and then ran the following command:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name mydomain_letsencrypt

After typing in and remembering the password, the resulting pkcs.p12 file could be used to create the JKS file as described in step 3:

keytool -importkeystore -deststorepass DEST_STORE_PASS -destkeypass KEY_PASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass SRC_STORE_PASS -alias mydomain_letsencrypt

Here, SRC_STORE_PASS is the password chosen in step 2. Make sure to remember and distinguish those three passwords! Or use the same phrase for all of them.

The result was saved as keystore.pks. I changed my Spark code accordingly:

String keyStoreLocation = "keystore.jks";
String keyStorePassword = "DEST_STORE_PASS";
secure(keyStoreLocation, keyStorePassword, null, null);

and put the file next my JAR. Done.

Update 2017-09-02: Here's a script that updates the keystore entry (e.g in case the existing SSL certificate has been invalided and a new one has been created).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
#!/bin/bash

CERT_PATH=/opt/psa/var/modules/letsencrypt/etc/live/mydomain/
CERT_ALIAS=mydomain_letsencrypt
PKCS_FILENAME=pkcs.p12
PKCS_PW='my_pkcs_pw'
KEYSTORE_FILENAME=keystore.jks
KEYSTORE_PW='my_keystore_pw'

# generate PKCS12 file
openssl pkcs12 -export -in $CERT_PATH/fullchain.pem -inkey $CERT_PATH/privkey.pem -out $PKCS_FILENAME -name $CERT_ALIAS -passout pass:$PKCS_PW

# delete existing entry in Java keystore
keytool -delete -keystore $KEYSTORE_FILENAME -alias $CERT_ALIAS -storepass $KEYSTORE_PW

# add new Java keystore entry from PKCS12 file
keytool -importkeystore -deststorepass $KEYSTORE_PW -destkeypass $KEYSTORE_PW -destkeystore $KEYSTORE_FILENAME -srckeystore $PKCS_FILENAME -srcstoretype PKCS12 -srcstorepass $PKCS_PW -alias $CERT_ALIAS

rm $PKCS_FILENAME

encryption Java Java keystore let's encrypt Spark SSL