Introduction

Adding a self signed SSL certificate to a jHipster app is common for local development, staging demos, and internal test environments. The main steps are generating a keystore, configuring Spring Boot HTTPS properties, and trusting the certificate in client systems. Keep in mind that self signed certificates are for non production use unless your organization controls trust distribution.

Generate a Self Signed Keystore

You can create a PKCS12 keystore with Java keytool.

1keytool -genkeypair \
2  -alias jhipster-local \
3  -keyalg RSA \
4  -keysize 2048 \
5  -storetype PKCS12 \
6  -keystore src/main/resources/config/tls/local-keystore.p12 \
7  -validity 365 \
8  -storepass changeit \
9  -keypass changeit \
10  -dname "CN=localhost, OU=Dev, O=Example, L=City, S=State, C=US"

This command creates a keystore file your app can load at startup.

Configure HTTPS in jHipster Spring Settings

Add SSL settings in the active profile YAML file, such as application-dev.yml.

1server:
2  port: 8443
3  ssl:
4    enabled: true
5    key-store: classpath:config/tls/local-keystore.p12
6    key-store-password: changeit
7    key-store-type: PKCS12
8    key-alias: jhipster-local

If you keep both HTTP and HTTPS, ensure reverse proxy or frontend config points to the secure port for API calls.

Redirect HTTP to HTTPS for Local Validation

To test secure only behavior, add redirect configuration in Spring Security or proxy config. In many dev setups, keeping only HTTPS port is simpler and avoids mixed content issues.

For frontend apps served separately, update API base URL to https://localhost:8443.

Trust the Certificate in Browser and Tools

A self signed certificate is not trusted automatically by browsers or API tools. Export the certificate and import it into your local trust store.

1keytool -exportcert \
2  -alias jhipster-local \
3  -keystore src/main/resources/config/tls/local-keystore.p12 \
4  -storetype PKCS12 \
5  -storepass changeit \
6  -rfc \
7  -file local-cert.pem

Use this file for local browser trust, Postman certificate trust, or internal client setup.

Verify HTTPS End to End

Run the app and validate certificate details:

1./mvnw
2
3curl -vk https://localhost:8443/management/health
4openssl s_client -connect localhost:8443 -showcerts

If handshake succeeds and health endpoint responds, SSL setup is functioning.

Import Certificate into Java Truststore for Local Clients

If local Java clients call your jHipster service, they may reject the self signed certificate unless trusted. Import the exported certificate into a dedicated truststore for development.

1keytool -importcert \
2  -alias jhipster-local \
3  -file local-cert.pem \
4  -keystore local-truststore.jks \
5  -storepass changeit \
6  -noprompt

Then run the client with truststore settings:

java -Djavax.net.ssl.trustStore=local-truststore.jks \
     -Djavax.net.ssl.trustStorePassword=changeit \
     -jar client-app.jar

This keeps local trust configuration explicit and avoids disabling SSL validation in code.

Keep Secrets Outside Source Control

Keystore files and passwords should not be hard coded in tracked repository config. Use environment variables for password values and keep local keystore artifacts ignored by Git.

server:
  ssl:
    key-store-password: ${SSL_KEYSTORE_PASSWORD}

This is safer and mirrors production style secret handling even in development setups.

Common Pitfalls

A common mistake is generating a certificate with CN that does not match the host used in browser requests. Hostname mismatch warnings then appear.

Another issue is using the wrong keystore path prefix. classpath: paths must point to packaged resource locations.

A third issue is committing sensitive keystore passwords directly in public configuration files. Use environment overrides for shared repositories.

Summary

• Generate a local keystore with keytool for development SSL.
• Configure Spring Boot SSL properties in jHipster profile files.
• Export and trust the certificate for local clients.
• Verify handshake and endpoint access with curl and OpenSSL.
• Use self signed certs only for controlled non production contexts.