Skip to content

Enabling Native TLS/SSL Support


* To run the application with native TLS/SSL encryption protocol support, you'll need the keytool utility bundled with OpenJDK.
* If the keytool utility wasn't installed with JDK/JVM, you'll need to install it separately.
* You also need to install the OpenSSL utility for working with certificates.
* For self-signed certificates, you'll additionally need to install the root certificate of the certificate authority.

1. Using the OpenSSL utility, create a special JVM keystore from your Certificate/Private Key pair and store the certificate information in it.
* After entering the command, you'll need to set a password for the keystore. Remember it, as you'll need it later!
* For converting certificate formats other than PEM, refer to the OpenSSL utility documentation

openssl pkcs12 -export -name <alias> -in <cert.crt> -inkey <cert.key> -out <keystore.p12>

Parameter Value
pkcs12 JVM keystore type.
Recommended to use PKCS12
<alias> Alias for searching in the keystore
<cert.crt> Path to the certificate file in PEM format
<cert.key> Path to the private key file in PEM format
<keystore.p12> Name of the JVM keystore

2. Using the keytool utility, add the root CA certificate to the JVM trusted keystore.
* If you're not using a self-signed certificate, you can skip this step. Just install standard CA certificates in your system

keytool -importcert -alias <rootCA> -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -file <rootCA.crt>
|Parameter|Value| |---|---| |<rootCA>|Alias for searching in the keystore| |/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts|Default path to trusted certificates in JVM when installing openjdk-11-jdk.
The java-11-openjdk-amd64 directory may vary depending on system architecture| |changeit|Default password for JVM trusted certificates keystore| |<rootCA.crt>|Path to certificate file in PEM format|

3. Open the GitFlic application's application.properties file and add configuration parameters according to your data

* Parameters marked as mandatory must be present in the file!

Parameter Mandatory Value Description
server.ssl.enabled Yes true Enable SSL support
server.ssl.protocol No TLS Specify to use TLS protocol
server.ssl.key-store Yes file:\<path> Absolute path to the keystore file created in step 1
server.ssl.key-store-type Yes pkcs12 Specify keystore type
server.ssl.key-store-password Yes <secret> Password for the keystore created in step 1
server.ssl.key-alias Yes <alias> Certificate/key pair alias specified in step 1
server.ssl.key-password No <secret> Password for the certificate/key pair within the JVM keystore created in step 1, if one was set.
By default, no password is set
server.ssl.trust-store No file:\<path> Absolute path to the JVM trusted certificates keystore file, if using a non-standard keystore
server.ssl.trust-store-password No <secret> Password for the JVM trusted certificates keystore, if using a non-standard keystore
server.ssl.trust-store-type No pkcs12/jks JVM trusted certificates keystore type

* For a complete list of all available TLS/SSL configuration parameters, see this page.

4. Start the GitFlic application. The web interface will be available at https://\<server.address>:\<server.port>

Automatic Translation!

This page has been translated using automated tools. The text may contain inaccuracies.