How To? Mule 4 - 2Way SSL (Two Way SSL) for Anypoint MuleSoft CloudHub or OnPrem

Easy steps on how to integrate 2Way SSL to your MuleSoft Application:

Six easy steps to configure the 2Way SSL:

Note: Hostname or IP must match exactly to make sure it's a valid SSL.

Step 1:

keytool -noprompt -validity 365 -genkey -v -alias server -keyalg RSA -keystore ../ssl/server.keystore -dname "CN=org.api360.apps.ssl,OU=IT,O=arnado,L=KS,ST=Manila,c=cn" -storepass password123 -keypass password123

Step 2:

keytool -noprompt -validity 365 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore ../ssl/client.p12 -dname "CN=clientCN,OU=clientOU,O=arnado,L=devLaptop,ST=Manila,c=cn" -storepass password123 -keypass password123

Step 3:

keytool -noprompt -export -v -alias client -keystore ../ssl/client.p12 -storetype PKCS12 -storepass password123 -rfc -file ../ssl/client.cer

Step 4:

keytool -noprompt -export -v -alias server -keystore ../ssl/server.keystore -storepass password123 -rfc -file ../ssl/server.cer

Step 5:

keytool -noprompt -import -v -alias server -file ../ssl/server.cer -keystore ../ssl/client.truststore -storepass password123

Step 6:

keytool -noprompt -import -v -alias client -file ../ssl/client.cer -keystore ../ssl/server.keystore -storepass password123

I've run the steps and have provided an expected or similar output using Console (MacOS)

Step 1
keytool -noprompt -validity 365 -genkey -v -alias server -keyalg RSA -keystore ../ssl/server.keystore -dname "CN=org.api360.apps.ssl,OU=IT,O=arnado,L=KS,ST=Manila,c=cn" -storepass pA5sw0rd2018 -keypass pAs5w0rd2018
---
Output:
---
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
for: CN=org.api360.apps.ssl, OU=IT, O=arnado, L=KS, ST=Manila, C=cn
[Storing ../ssl/server.keystore]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ../ssl/server.keystore -destkeystore ../ssl/server.keystore -deststoretype pkcs12".
---

Step 2
keytool -noprompt -validity 365 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore ../ssl/client.p12 -dname "CN=cnClient,OU=ouClient,O=arnado,L=VirtualDev,ST=Manila,c=cn" -storepass pA5sw0rd2018 -keypass pAs5w0rd2018
---
Output
---
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
for: CN=cnClient, OU=ouClient, O=arnado, L=VirtualDev, ST=Manila, C=cn
[Storing ../ssl/client.p12]
---

Step 3
keytool -noprompt -export -v -alias client -keystore ../ssl/client.p12 -storetype PKCS12 -storepass pA5sw0rd2018 -rfc -file ../ssl/client.cer
---
Output
---
Certificate stored in file <../ssl/client.cer>
---

Step 4
keytool -noprompt -export -v -alias server -keystore ../ssl/server.keystore -storepass pA5sw0rd2018 -rfc -file ../ssl/server.cer
---
Output
---
Certificate stored in file <../ssl/server.cer>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ../ssl/server.keystore -destkeystore ../ssl/server.keystore -deststoretype pkcs12".
---

Step 5
keytool -noprompt -import -v -alias server -file ../ssl/server.cer -keystore ../ssl/client.truststore -storepass pA5sw0rd2018
---
Output
---
Certificate was added to keystore
[Storing ../ssl/client.truststore]
---

Step 6
keytool -noprompt -import -v -alias client -file ../ssl/client.cer -keystore ../ssl/server.keystore -storepass pA5sw0rd2018
---
Output
---
Certificate was added to keystore
[Storing ../ssl/server.keystore]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ../ssl/server.keystore -destkeystore ../ssl/server.keystore -deststoretype pkcs12".