# Creating a Spring Boot Web (REST) service with SSL and Client Authentication

We will refer to: https://dzone.com/articles/securing-rest-apis-with-client-certificates

## Situation/Problem

We need to set up a Spring Boot Web (REST) service with both SSL and Client Authentication (two-way authentication or X509 authentication). 

## Action/Solution

1. We create necessary keys, certificates and keystores. 

```bash
./04_gen_certs.sh
```

Note: the commands in the source (dzone) link has typos. Refer to the 04_gen_certs.sh for typo-clear version. 

In this exercise, we make sure both common names are 'localhost' and passwords are 'abcd1234'

2. Add the following properties to application.properties

```properties
# Define a custom port (instead of the default 8080)
server.port=8443
# The format used for the keystore
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=file:/path/to/ssl/server/keyStore.p12
# The password used to generate the certificate
server.ssl.key-store-password=abcd1234

# Trust store that holds SSL certificates.
server.ssl.trust-store=file:/path/to/ssl/server/trustStore.jks
# Password used to access the trust store.
server.ssl.trust-store-password=abcd1234
# Type of the trust store.
server.ssl.trust-store-type=JKS
# Whether client authentication is wanted ("want") or needed ("need").
server.ssl.client-auth=need
```

3. Run the service. 

4. Install the /path/to/ssl/client/client_pavel.p12 (in windows, double-clicking will do).

5. Try the service from browser. The browser will ask which certificate to use (you will see 'localhost' there).