Wednesday, April 4, 2012

Part 1 - x509 Authentication with Spring, Eclipse, Jetty and Maven


I've seen a few posts to Stack Overflow recently regarding x509 authentication using Spring. I know from my own experience that finding a single tutorial that has everything in one place is difficult, so I'd thought I would put one together that covers pretty much everything you need to get a simple web application going

I'm going to break this up into 4 parts:
  • Part 1 : Generation of a client & server self-signed certificates (with common self-signed CA root certificate)
  • Part 2 : Maven web application archetype generation and maven-jetty-plugin confguration
  • Part 3 : Using a simple in-memory authorization provider
  • Part 4 : Web application debugging using Eclipse

Part 1 - Certificate generation

I am going to present the generation of the client and server certificates signed by a common CA root certificate. Using a common root certificate is more like what you would have in a production environment and makes the creation of a simple trust stores easy.

Automated Script

So time for a bit of an explanation. We need to create 4 components:
  • CA root certificate - This is our Certificate Authority (CA). Using this certificate, we can create certificates for the client and server which are issued by the CA.
    • CA.key - Private key for the CA
    • CA.crt - Public key for the CA
  • Server certificate - This is our Server certificate - used by the web server to provide identity information about itself to clients.
    • server.key - Private key for the server
    • server.csr - Certificate request for the server (used by the CA when creating the server public key)
    • server.crt - Public key for the server
  • Client certificate - This is our Client certificate - used by the browser or another client (java) to provide identity to the server.
    • client.key - Private key for the client
    • client.csr - Certificate request for the client (used by the CA when creating the client public key)
    • client.crt - Public key for the client
  • Java trust store - This is our store of certificates that should be trusted. It's used by the web server or java client to validate whether the certificate for the other side of the link can be used to communicate. By using a common CA root certificate, we can create and use a single truststore on both the web server and java client.


  1. Great post! I'm a newbie on the subject. I found the option for keytool "-importcert" is more "-import" as I was getting an error. I might be wrong.

    Thank you

    1. Esteban - good catch, i'll update, thanks!