Set up a TLS certificate
Transport Layer Security (TLS) protects data in transit between client and server and is a vital component of the HTTPS protocol. The Secure Sockets Layer (SSL) and TLS are often used interchangeably, but they aren't the same. TLS is the successor of SSL.
Here are the steps to get your TLS up and running:
- Generate a TLS certificate
- Convert the certificate to Java P12 format
- Import the certificate to Java Keystore and configure it
Generate a TLS certificate
The first step is to get a certificate from a certificate issuing authority. An example would be certbot or the sample scripts that are provided below, but you can use any method or certificate provider as per your needs.
- Let's Encrypt
- ZeroSSL
You can generate a Let's Encrypt certificate using the following script https://github.com/jed/certbot-route53/blob/master/certbot-route53.sh.
Run the following command:
sh certbot-route53.sh \ --agree-tos \ --manual-public-ip-logging-ok \ --domains *.chromia.dev \ --email my.cert@mydomain.com
It generates a letsencrypt folder in the current working directory, which contains the certificate.
You can generate a ZeroSSL certificate by using zerossl-bot.
To generate the certificate, run the following command:
sudo zerossl-bot certonly --standalone --agree-tos -m my.cert@mydomain.com -d *.chromia.dev
Convert the certificate to Java P12 format
Next, you convert the certificate to PKCS#12 (P12) format, an industry-standard format belonging to the family of standards defined under Public Key Cryptography Standards (PKCS).
Enter the following command to convert the server certificate format to PKCS12:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name postchain
It prompts for a password. Enter the password and save it. You'll need this password in later steps.
Import the certificate to Java Keystore and configure it
Run the following command to import the certificate to Java Keystore:
keytool -importkeystore -deststorepass postchain_keypass -destkeypass postchain_keypass -destkeystore my_keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass p12pass -alias postchain
Take note of the postchain_keypass and my_keystore.jks values, you need to configure them in the postchain node-config.properties file as follows:
api.enable_tls=true
api.tls_certificate=my_keystore.jks
api.tls_certificate.password=postchain_keypass