Briefly,
- you can create your own self signed certificate. This won't protect your app from all kinds of attacks, but your communication will be encrypted. If you're running this in some intranet, I think this is a reasonable solution.
- see below
- see #1
- see #2
To generate a certificate in your server, you can do something like
/opt/jdk1.7.0_40/bin/keytool -genkey -alias tomcat -keypass mypassword -keystore keystore.key -storepass mypassword -keyalg RSA
And then you'll probably need to add some steps to configure your webserver. You haven't specified any, but if you were using tomcat, you'd add something like this to server.xml
<Connector
port="8443"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/path.to.your.keystore/keystore.key"
keystorePass="mypassword" />
To import the certificate in the client side, you can open the login page using firefox, right-click on the page and open "view page info", then go to the "security" tab, then click on "view certificate", click on "details" and then "export".
Default is x.509 PEM, which is ok. Let's suppose that you've saved the file as "TomcatUser.pem.x509", you have to store the certificate in a keystore in the format java can understand, just like this
/opt/jdk1.7.0_40/bin/keytool -import -file TomcatUser.pem.x509 -keystore ~yourUser/MyLocalKeypass -storepass xyz
Finally, your client will need something like this
System.setProperty("javax.net.ssl.trustStore","~yourUser/MyLocalKeypass");
System.setProperty("javax.net.ssl.trustStorePassword","xyz");