SSL Certificate Expiration
The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.p12. (APPSRV_HOME/standalone/configuration/keystore/keystore.jks for servers older, than wildfly 24) The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.
You can do this through the RA Web by:
In EJBCA RA Web, select Search → End Entities and search for user tomcat.
Select Edit on the found user and set the Enrollment code to the same as httpsserver.password in your conf/web.properties and Status to New.
Open up a command line in EJBCA_HOME and run:
bin/ejbca.sh batch
Copy EJBCA_HOME/p12/tomcat.p12 to APPSRV_HOME/standalone/configuration/keystore/keystore.p12, (EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/standalone/configuration/keystore/keystore.jks for servers older, than wildfly 24) or run
ant deploy-keystore
Ant deploy will do some other things as well, so if you are not sure, just copy the file.Restart JBoss.
You can also do everything using the CLI:
Run the following in the CLI:
bin/ejbca.sh ra setendentitystatus tomcat 10
bin/ejbca.sh ra setclearpwd tomcat <
password
from httpsserver.password>
bin/ejbca.sh batch tomcat
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for servers older, than wildfly 24
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
Restart JBoss.
A small convenience ant target is present which can simplify the process and save some typing (it's running the above three ejbca.sh commands in succession):
Run the following in the CLI:
ant renew-keystore
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for servers older, than wildfly 24
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
Restart JBoss.