How to Secure Your Java Application with SSL Certificates for Java Keystore and AWS ALB

In today’s world, secure communication is a must, but not every developer has had the opportunity to work with SSL/TLS certificates directly. In this guide, I’ll walk you through the process of obtaining and setting up an SSL certificate for both the Java Keystore and AWS Application Load Balancer (ALB).

Step 1: Request a Certificate

The first step to secure communication is requesting an SSL certificate. This requires generating a Certificate Signing Request (CSR), which your Certificate Authority (CA) will use to issue the certificate.

To create a .csr file, run the following openssl command:

openssl req -newkey rsa:2048 -keyout private_key.pem -out new_cert.csr

This will create a private_key.pem file (your private key, which must be kept secure) and new_cert.csr. Submit new_cert.csr to your cloud team or directly to your CA, such as DigiCert, and they will provide you with the certificate files. Typically, you’ll receive files like:

• certificate.crt – Your main certificate
• DigiCertCA.crt – The certificate chain or intermediate certificates

Store these files securely — AWS S3 is a good option for private storage.

Step 2: Importing the Certificate into Java Keystore

With the certificate in hand, we need to add it to the Java Keystore so your Java application can use it. Follow these steps:

1. First, list any existing certificates in the keystore to ensure you’re working with the correct alias:

keytool -list -v -keystore /data/ssl/keystore.jks -storepass changeit -alias "*.some.com"

2. If needed, delete any old certificate associated with your domain:

keytool -delete -alias "*.some.com" -keystore "/data/ssl/keystore.jks"

3. Convert the new certificate into a format Java Keystore can import. First, export it to .pfx format:

openssl pkcs12 -export -out /data/ssl/cert.pfx -name "*.some.com" -inkey private_key.pem -in certificate.crt

4. Finally, import it into the Java Keystore:

keytool -importkeystore -srckeystore /data/ssl/cert.pfx -srcstoretype PKCS12 -srcstorepass changeit -destkeystore /data/ssl/new_keystore.jks -deststorepass changeit -alias "*.some.com"

Step 3: Prepare the Certificate for AWS Certificate Manager

For AWS ALB, AWS Certificate Manager (ACM) requires a non-encrypted private key. You can decrypt your private key as follows:

openssl rsa -in private_key.pem -out private_key-decrypted.pem

Step 4: Import the Certificate into AWS ACM

1. Navigate to AWS Certificate Manager and select the Import a certificate option.

2. Paste in:

• Certificate body (certificate.crt)
• Certificate private key (private_key-decrypted.pem)
• Certificate chain (DigiCertCA.crt)

3. After importing, go to EC2 Dashboard > Load Balancers.

4. Select your ALB, then go to the Listeners and Rules tab.

5. Choose Manage listener > Edit Listener.

6. Under Secure listener settings, select the new certificate from ACM and save your changes.

Step 5: Verify the Certificate

Once the setup is complete, open a browser and access your application’s URL to verify that the SSL certificate is correctly applied and the connection is secure.

By following these steps, you’ve successfully set up SSL/TLS encryption for your Java application and ALB on AWS!