How to configure an SSL Certificate with Play Framework for https

sslI spent hours try­ing to get this to work, and in the end, then prob­lem was that I did not gen­er­ate the CSR (Cer­tifi­cate Request) myself with the keytool.

I kept get­ting this error when I tried access­ing Play with https:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

The prob­lem ended up being that the key­store I cre­ated and imported the SSL cer­tifi­cate into did not have the pub­lic key that was used for the CSR (cer­tifi­cate request).

So here it the quick ver­sion of gen­er­at­ing an SSL Cer­tifi­cate with godaddy​.com and installing it with Play Frame­work 2.1+.

  1. Fol­low these instruc­tions from godaddy​.com to gen­er­ate the CSR like this:

    First gen­er­ate the key pair like this:

    keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

    Then gen­er­ate the CSR:

    keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore
  2. Use the CSR to apply for certificate
  3. Add the Inter­me­di­ate Cer­tifi­cate Bun­dle and the Cer­tifi­cate that were gen­er­ated to your key­store.
    NOTE: make sure this is the same key­store that you gen­er­ated the pri­vate key in, in step 1!

    keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle.crt
    keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file mycert.crt

    (Replace mycert.crt with the file name and loca­tion of the new GoDaddy certificate)

  4. Finally, fol­low­ing the instruc­tions for con­fig­ur­ing https with Play 2.1+ ( http://​www​.playframe​work​.com/​d​o​c​u​m​e​n​t​a​t​i​o​n​/​2​.​2​.​1​/​C​o​n​f​i​g​u​r​i​n​g​H​t​tps ) which had already worked great with the self gen­er­ated key, I cre­ated a shell script for start­ing Play with the cor­rect parameters:
    # script for starting play in production with SSL and the keystore
    target/start -Dhttps.port=443 -Dhttps.keyStore=/Users/bp/mypath/tomcat.keystore -Dhttps.keyStorePassword=itl80809

Note: you need to do a “play dist” before­hand, so that the cur­rent Soft­ware is com­piled into a dis­tri­b­u­tion in the tar­get subdirectory.
 

Related Whitepaper:

Web Application Security; How to Minimize Prevalent Risk of Attacks

Vulnerabilities in web applications are now the largest vector of enterprise security attacks.

Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers.

Get it Now!  

Leave a Reply


− six = 3



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

20,709 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books