Create SSL based service


SSL certificates are used for securing the transport layer and creating a secure communication between the service caller and the server. SSL channel authenticate the identity of the caller with server and encrypt the data exchanged between caller and server. In Organization it’s a standard to have only SSL based services.

Please go through to understand more about keystore generation.


To start with we have to first create the server side certificates using JAVA keytool.exe

Go to JDK bin directory and run below command

java-home/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks


  • alias is server name
  • keyalg is algorithm name
  • keypass and storepass is the keystore password
  • keystore is the keystore name

Let’s change it as per our organization need

java-home/bin/keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

example –

D:\Softwares\jdk1.8.0_172\bin>keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
What is your first and last name?
  [Unknown]:  Mulesy Mulesy
What is the name of your organizational unit?
  [Unknown]:  Education
What is the name of your organization?
  [Unknown]:  Mulesy
What is the name of your City or Locality?
  [Unknown]:  Delhi
What is the name of your State or Province?
  [Unknown]:  Delhi
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN correct?
  [no]:  Yes

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

D:\Softwares\jdk1.8.0_172\bin>keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12
Enter source keystore password:
Entry for alias mulesy-server successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".


This will create a keystore in bin directory


Same certificate can be signed by any CA for making it trusted certificate – more details

Mostly MuleSoft developers don’t have to do this key generation as this is provided by the network or server maintenance team. So please check with them first.

Let’s use the same keystore.jks for our SSL based api.

Create a mule application and add HTTP listener


Add keystore.jks in src\main\resources folder


Click on connector configuration

Change the HTTP to HTTPS and port to 443


We can now add the information in keystore configuration

Please note we have change the JKS keystore to pkcs12 format while generating the Keystore above

Click OK and run the application

Now if we call the API on chrome then we can see below error


Error is more because browser only adds the certificates signed by trusted CA, As we have created the certificates for our internal use (Still not signed by any CA) so this is expected.


Click on Advance – explicitly telling the browser that it’s safe to call this service.


Now we can see the response from our API

Click on Not secure and click on certificate


It will show the same information which we have used to generate the keystore


More details


Sample application – ssl-sample

Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.

Share this:
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
1 year ago

Hi Mulesy,

I found your website it’s really awesome deep explanation and easy to understand.

i’m facing Generall SSL engine problem while calling ABC service system, and they have shared a .jks certificate and .pfx certificate and password i have followed the same steps which you have mentioned. bbut still it is general SSL engine and when i check the insecure failed bad certificate issue i’m getting can you please help on this issue.

Thanks & Regards,

1 year ago
Reply to  admin

Yes, i have configured Trust store only but and itried with both approaches like insecure check and without insecure check but still getting same issue and when i check the insecure it is saying that bad certificate and failed when i tried without insecure it is throwing Genaral SSL engine issue but, issue not resolved.

11 months ago

Hi! Thanks for your explanation!
I have a problem because I was working great with my API but suddenly started to failed. Giving me the following message:

ERROR 2021-05-23 18:52:43,446 [http.listener.02 SelectorRunner] org.mule.service.http.impl.service.server.grizzly.MuleSslFilter: SSL handshake error: Received fatal alert: certificate_unknown

Do you have any idea? Because I was developing some new stuffs and now it’s broke T-T

11 months ago
Reply to  admin

Thanks for your response, it’s really weird this error. I “resolved” it creating a new project and configurating all again. Even I use the same keystore and at first works. But, it already happened 3 times more. :S

More information:
In TLS I don’t have any value in trust store but I use key store config.