jboss ssl certificate

Question

I have a JBoss server and I want to enable it's ssl capabilities. i read and made the modifications in server.xml in jbossweb-tomcat55.sar; But as it seems I didn't understand how to create and add the certificate the right way. Can you please correct me with the right steps ?

I did it like this: I generated a keystore file, then i generated a .pem file using keytool -export. Then I used keytool -import to import the file.pem. then in the server.xml file I wrote the password and the location to the imported certificate.

Thanks in advance.

Toni · Accepted Answer · 2012-11-28T07:07:41.017

3

It would have been better if you had posted the keytool sentences you've used to generate the certificates, but I guess that you were trying to generate a selfsigned certificate. For that, first you should generate a public - private key pair, the command to achieve it looks like:

keytool -genkey -alias yourAliasOrDomainName -keyalg RSA -keystore yourKeyStoreName.jks -keysize 2048

To get the certificate (public key certificate) you've to use the export command (that's the file you've to issue to the client)

keytool -export -alias yourAliasOrDomainName -keystore youKeyStoreName.jks -file youServer.cer

And finally, you've to place the keystore file in your server, and set up the HTTP / SSL Connector, specifying the keystore file and its password (but not the domain password). Something like:

 <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/yourKeyStoreName.jks"
       keystorePass="yourKeyStorePassWord" sslProtocol = "TLS" />

Note that in the Connector you've to specify the Keystore file, not the certificate!!!

edited Nov 28 '12 at 07:07

answered Nov 27 '12 at 15:58

Toni

1,381
10
16

Thanks, as it seems I wasn't pointing to the right file; I was pointing to the certificate and not to the keystore. Also for anyone trying this for a web server it is important that you also write https://serveraddress:SSLport and when asked accept the certificate exception. Thanks again Toni S. – John11 Nov 28 '12 at 07:15
Yes, since it's a self signed certificate, the web browsers won't have it in its trusted certificates repositories, so you'll have to accept it when asked (or install the certificate in the browser manually). – Toni Nov 28 '12 at 07:17
Hello, I am not using any front end server. But only JBOSS. I have purchased an authorized certificate, how can I generate a key from this certificate instead of assigning a self signed certicate generated from my jvm keystore? – ruby Feb 28 '14 at 16:01
If you've purchased a certificate from a certification authority you should already have the key pair (private and public key). So, in that case, you just need to place them in a java keystore (jks) and then set it up in the Connector as it's shown in my answer. So answering your question, to place your key pair in the keystore first you've to generate a pkcs12 keystore with both keys and then convert it to a jks keystore, you can find the commands needed to do it in this answer: http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore – Toni Mar 03 '14 at 08:24

jboss ssl certificate

1 Answers1