Skip to main content

Set up a TLS certificate

Transport Layer Security (TLS) protects data in transit between client and server and is a vital component of the HTTPS protocol. The Secure Sockets Layer (SSL) and TLS are often used interchangeably, but they aren't the same. TLS is the successor of SSL.

Here are the steps to get your TLS up and running:

  1. Generate a TLS certificate
  2. Convert the certificate to Java P12 format
  3. Import the certificate to Java Keystore and configure it

Generate a TLS certificate

The first step is to get a certificate from a certificate issuing authority. An example would be certbot or the sample scripts that are provided below, but you can use any method or certificate provider as per your needs.

You can generate a Let's Encrypt certificate using the following script https://github.com/jed/certbot-route53/blob/master/certbot-route53.sh.

Run the following command:

sh certbot-route53.sh \ --agree-tos \ --manual-public-ip-logging-ok \ --domains *.chromia.dev \ --email my.cert@mydomain.com

It generates a letsencrypt folder in the current working directory, which contains the certificate.

Convert the certificate to Java P12 format

Next, you convert the certificate to PKCS#12 (P12) format, an industry-standard format belonging to the family of standards defined under Public Key Cryptography Standards (PKCS).

Enter the following command to convert the server certificate format to PKCS12:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name postchain

It prompts for a password. Enter the password and save it. You'll need this password in later steps.

Import the certificate to Java Keystore and configure it

Run the following command to import the certificate to Java Keystore:

keytool -importkeystore -deststorepass postchain_keypass -destkeypass postchain_keypass -destkeystore my_keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass p12pass -alias postchain

Take note of the postchain_keypass and my_keystore.jks values, you need to configure them in the postchain node-config.properties file as follows:

api.enable_tls=true
api.tls_certificate=my_keystore.jks
api.tls_certificate.password=postchain_keypass