SSL Certificate Expiration

The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.p12. (APPSRV_HOME/standalone/configuration/keystore/keystore.jks for servers older, than wildfly 24) The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

You can do this through the RA Web by:

  1. In EJBCA RA Web, select Search → End Entities and search for user tomcat.

  2. Select Edit on the found user and set the Enrollment code to the same as httpsserver.password in your conf/web.properties and Status to New.

  3. Open up a command line in EJBCA_HOME and run:

    bin/ejbca.sh batch
  4. Copy EJBCA_HOME/p12/tomcat.p12 to APPSRV_HOME/standalone/configuration/keystore/keystore.p12, (EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/standalone/configuration/keystore/keystore.jks for servers older, than wildfly 24) or run

    ant deploy-keystore


    Ant deploy will do some other things as well, so if you are not sure, just copy the file.

  5. Restart JBoss.

You can also do everything using the CLI:

  1. Run the following in the CLI:

    bin/ejbca.sh ra setendentitystatus tomcat 10
    bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
    bin/ejbca.sh batch tomcat
    cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
    #for servers older, than wildfly 24
    #cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
  2. Restart JBoss.

A small convenience ant target is present which can simplify the process and save some typing (it's running the above three ejbca.sh commands in succession):

  1. Run the following in the CLI:

    ant renew-keystore
    cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
    #for servers older, than wildfly 24
    #cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
  2. Restart JBoss.