Configuring HTTPS

Configuring HTTPS in a Helidon Project Using a Self-Signed Certificate

Prerequisites

  • OpenSSL installed on the system.

Step 1: Generate a Self-Signed Certificate

To enable HTTPS, we first need to generate a self-signed certificate and keystore.

1.1. Generate a Root CA Key and Certificate

openssl req -x509 -sha256 -days 1825 -newkey rsa:4096 -keyout rootCA.key -passout pass:password -subj "/C=CZ/ST=Prague/L=Prague/O=Oracle/OU=Helidon/CN=com.helidon.https.sample" -out rootCA.crt

Please modify the password and subj as needed.

  • This command generates a root CA certificate (rootCA.crt) and a private key (rootCA.key).

  • The certificate is valid for 5 years (1825 days).

  • The CA key allows signing other certificates, ensuring a trusted environment.

1.2. Generate a Private Key for the Server

openssl genrsa -des3 -passout pass:password -out server.key 4096

  • A 4096-bit private key (server.key) is generated.

  • The key is encrypted using a password for added security.

1.3. Create a Certificate Signing Request (CSR)

openssl req -key server.key -passin pass:password -subj "/C=CZ/ST=Prague/L=Prague/O=Oracle/OU=Helidon/CN=com.helidon.https.sample.io" -new -out server.csr

Note: The Common Name (CN) in the server certificate must be different from the CA certificate.

  • The CSR (server.csr) contains information about the server.

  • It is required to obtain a certificate signed by the CA.

1.4. Configure Additional X.509 Extensions

Create a file server.ext as below:

(
echo authorityKeyIdentifier=keyid,issuer
echo basicConstraints=CA:FALSE
echo subjectAltName = @alt_names
echo [alt_names]
echo DNS.1 = localhost
echo DNS.2 = custom.test.domain
) >> server.ext

  • Defines subject alternative names (SANs) to allow multiple domains for HTTPS.

  • Specifies that this certificate is not a CA certificate.

1.5. Generate a Signed Server Certificate

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in server.csr -out server.crt -days 1825 -CAcreateserial -passin pass:password -extfile server.ext

  • The CSR is signed using the CA key to produce the server certificate (server.crt).

  • Ensures the server certificate is trusted within the local environment.

1.6. Convert Certificate to PKCS12 Format

openssl pkcs12 -inkey server.key -in server.crt -export -passin pass:password -passout pass:password -out server.p12

  • Converts the server certificate and private key into PKCS12 format (server.p12).

  • This format is required for use in Helidon’s TLS configuration.

1.7. Place the Keystore in the Project

Move server.p12 to the base directory of the project.

Step 2: Configure Helidon for HTTPS

2.1. Update application.yaml file

Edit application.yaml:

server:
   port: 6060
   tls:
      enabled: true
      private-key:
         keystore:
            resource:
               path: server.p12
            passphrase: password

Step 3: Verify HTTPS Configuration

3.1. Start the Helidon Server

3.2. Check Server Logs for HTTPS Initialization

Look for the following output:

Server started on https://localhost:8080 (and all other host addresses)

3.3. Test HTTPS Endpoint

Access the application in a browser:

https://localhost:8080/greet

If you see a security warning, add the rootCA.crt certificate to your windows trusted store or proceed with an exception.

In postman, please add the rootCA.crt in the settings → certificates section as below:

certificate

postman

Conclusion

By following these steps, HTTPS is successfully configured in the Helidon application using a self-signed certificate. In a production setup, it is highly recommended to use a CA-signed certificate and secure keystore management practices.