Free SSL Certificate for Play Framework by Ravinder Payal


Author : @Ravinder Payal

I understand that it’s too simple thing but frustrates a lot when we don’t have the recipe to proceed and make it work, so worry not here’re the complete steps, just follow in given sequence with a coffee in hand. By the time you finish the coffee, your Play Framework based server will be running with SSL/TLS security.

For generating the TLS/SSL certficate using DNS challenge

sudo certbot certonly --manual  -m youremailaddress@example.com  --agree-tos -d subdomain.example.com  --preferred-challenges dns

On pressing enter it'll show something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for subdomain.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
`
Please enter `Y` if you are OK with it and want to continue. `N` will close the request as you must agree to IP logging to proceed.

On proceeding further it'll ask you to add TXT record record under the given domain name with `_acme-challenge` appended to it.

`Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.example.com with the following value:

ROBJ8UCDCMV_Uc5m9oid1heU52wsgcYF1OK0-PbgQV4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Before pressing enter when asked to create TXT record under the chosen domain, do confirm the entry of TXT record using `nslookup`

nslookup -q=TXT _acme-challenge.subdomain.example.com

If it shows TXT record same as asked by Let's Encrypt, you are good to go ahead.

On completion you will find certificate in:

/etc/letsencrypt/archive/subdomain.example.com/

Note: You might need super user(sudo su) access for accessing this directory and files in it.

Now, we need to openssl to export the certificates and keys to Public-Key Cryptography Standards (PKCS) #12 (pks12) format and then using keytool we will import pks12 file into jks file.

openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out keystore.p12 -CAfile cert.pem -caname root

It’ll ask password, enter any password of your choice, do remember it as it’ll be used for importing keystore into Java Key Store(JKS). For reference I will call it source keystore password.

Now, once p12 file is generated using openssl and secure sockets layer(SSL) certificates generated by Let’s Encrypt, we are going to use keytool for export it as jks(Java Key Store

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks

It'll give something like this

Importing keystore keystore.p12 to cert.jks...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore cert.jks -destkeystore cert.jks -deststoretype pkcs12".

On pressing enter it'll ask you for destination keystore password, please enter any password but do remember it as we need to provide it to play framework. After that you will need to provide the source keystore password which you entered while running the openssl command. Once all the commands are ran successfully in right sequence you will get the Java Key Store(`JKS`) file as `cert.jks`. Put `cert.jks` in conf directory available in root of the play project and while running the play framework provide the ssl certificatelike this:

-Dhttps.port=443 -Dplay.server.https.keyStore.path=cert.jks -Dplay.server.https.keyStore.password=your_destination_keystore_password

Note: Please use same password for pk12 and jks, otherwise Play won’t be able to read both certificate and private key.

Converting .crt to .jks

At times, we may encounter certificate issued to us in .crt format as well. For this as well we will need same commands along with .cert file for domain, root Certificate Authority .cert file and privatekey(stored in .pem or .key file).

Step 1

openssl pkcs12 -export -in sslcert/domain_ext.crt  -inkey sslcert/privkey.key -CAfile sslcert/ROOT_CERT_AUTHORITY.crt  -out intermediate.p12

Step 2

keytool -importkeystore -srckeystore intermediate.p12 -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks

And you will have the certificate in Java Key Store(JKS) format. Look for cert.jks in present working directory(pwd) of terminal.

Bonus Content

Command to see if exported Java Key Store is valid

keytool -v -list -keystore cert.jks

It will ask for the password, enter same password as you entered while doing export of Public-Key Cryptography Standards (PKCS) #12(.p12) in Java Key Store(JKS). If you enter wrong password, it will tell you certificate is tempered. On correct password, you will see content of certificate. Look for the subject keyword and mention of your domain name, apart from that check if the certificate authority is mentioned or not.

Cheers, Enjoy the additioanl security layer provided by TLS/SSL.

Please do comment if you have any doubts, I will revert back within a day.


Written on July 20, 2019