Using a Self-Signed Certificate

Estimated reading time: 3 minutes

Ktor allows you to create and use self-signed certificates for serving HTTPS or HTTP/2 requests.

This function is defined in the method in the artifact io.ktor:ktor-network-tls:$ktor_version.
dependencies { compile "io.ktor:ktor-network-tls:$ktor_version" }
dependencies { compile("io.ktor:ktor-network-tls:$ktor_version") }
<project> ... <dependencies> <dependency> <groupId>io.ktor</groupId> <artifactId>ktor-network-tls</artifactId> <version>${ktor.version}</version> <scope>compile</scope> </dependency> </dependencies> </project>

Table of contents:

To create a self-signed certificate using Ktor, you have to call the generateCertificate function."mycert.jks"))

Since Ktor requires the certificate when it starts, you have to create the certificate before starting the server.

Create the certificate using gradle

One possible option is to execute the main class generating the certificate before actually running the server:


You can declare a class with a main method that only generates the certificate when it doesn’t exist:

package io.ktor.samples.http2


object CertificateGenerator {
    fun main(args: Array<String>) {
        val jksFile = File("build/temporary.jks").apply {

        if (!jksFile.exists()) {
            generateCertificate(jksFile) // Generates the certificate


In your build.gradle file you can make the run task to depend on a generateJks task that executes the main class generating the certificate. For example:

task generateJks(type: JavaExec, dependsOn: 'classes') {
    classpath = sourceSets.main.runtimeClasspath
    main = 'io.ktor.samples.http2.CertificateGenerator'

getTasksByName("run", false).first().dependsOn('generateJks')

The HOCON application.conf configuration file

When creating your HOCON configuration file, you have to add the ktor.deployment.sslPort, and the properties to define the ssl port and the keyStore:


ktor {
    deployment {
        port = 8080
        sslPort = 8443
        watch = [ http2 ]

    application {
        modules = [ io.ktor.samples.http2.Http2ApplicationKt.main ]

    security {
        ssl {
            keyStore = build/temporary.jks
            keyAlias = mykey
            keyStorePassword = changeit
            privateKeyPassword = changeit

Ktor normal module

After that you can just write a normal plain Ktor module:

package io.ktor.samples.http2

import io.ktor.application.*
import io.ktor.features.*
import io.ktor.http.*
import io.ktor.response.*
import io.ktor.routing.*
import io.ktor.util.*

fun Application.main() {
    install(Routing) {
        get("/") {

                <!DOCTYPE html>
                        <link rel="stylesheet" type="text/css" href="/style.css">
                        <h1>Hello, World!</h1>
            """.trimIndent(), contentType = ContentType.Text.Html)

        get("/style.css") {
                h1 { color: olive }
            """, contentType = ContentType.Text.CSS)

Accessing your server

Then you can point to to access your server. Since this is a self-signed certificate, your browser will probably warn you about an invalid certificate, so you will have to disable that warning.

Full example

Ktor has a full example using self-signed certificates here: