Mule 4: Enable HTTPS Connector Using OpenSSL

DZone 's Guide to

Mule 4: Enable HTTPS Connector Using OpenSSL

Generate self-signed certificates with OpenSSL.

· Security Zone ·
Free Resource


This article demonstrates how to generate self-signed certificates and use a private key to configure the HTTPS connector using OpenSSL.

Generate Private Key and Public Cert Using OpenSSL

$ openssl req -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a RSA private key
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Dallas
Organization Name (eg, company) [Default Company Ltd]:GGL Consulting Inc
Organizational Unit Name (eg, section) []:EA
Common Name (eg, your name or your server's hostname) []:Gary Liu
Email Address []:gary.liu1119@gmail.com

The above command will generate two files:

  1. cakey.pem.
  2. cacert.pem.

The Mulesoft HTTPS TLS configuration supports three formats:

  1. JKS — Java Keystore.
  2. PKCS12 — for details refer to this page.
  3. JCEKS — Stands for Java Cryptography Extension KeyStore.

We need to convert the RAS format to PKCS12 using the following command:

$ openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name "mykey"
Enter pass phrase for cakey.pem:
Enter Export Password:
Verifying - Enter Export Password:

The above command generates a file, identity.p12, with the alias, mykey. Now, we can configure the HTTPS Connector.

Configure HTTPS Connector

The XML configuration will look like the following code block:

<http:listener-connection protocol="HTTPS" host="" port="443">
        <tls:key-store type="pkcs12" path="identity.p12" alias="mykey" keypassword="gary" password="gary">

The following snapshots show the procedures using Anypoint Studio:Anypoint Studio

Anypoint Studio

HTTP Listener configuration

HTTP Listener configuration

Invoke the Service

To test the service, we can use the following curl command:

$ curl -k -XGET https://localhost/helloworld  
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload   Upload  Total   Spent    Left  Speed100 
  100 31  100    31    0     0     31      0  0:00:01  0:00:01 --:--:--    29
    "message": "Hello, World"

Note -k option is to tell curl to accepted self-signed certificates.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}