How do I install an SSL Certificate into JBOSS?

Problem

How do I install an SSL Certificate into JBOSS?

Resolution

Download all your certificates from the Trust/Link download page, making sure that you download the Root CA certificate, the Intermediate certificate and your SSL certificate.  You can do this by clicking on the certificate icon (or the download link) next to each certificate section (see https://support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx for more details).  This will download a *.crt file for each certificate

Part I - Complete the Java KeyStore File

Once you have obtained all the files that you will need during this process, you are ready to install them into the Java KeyStore file that you created initially along with the CSR.

Important Note: Part I will provide the commands needed to install the Intermediate, Root and SSL certificate into your Java KeyStore.  You may notice that particular sections of these commands surrounded by [ ] symbols and are in bold.  These bold parts are relative and will need to be changed by you in order to reflect your situation and Java KeyStore file.
  1. Open up the command line that has access to the Java Keytool.  You must run the following command in order to install the Root Certificate into the Java KeyStore file:

  2. keytool -import -trustcacerts -alias root -file [root certificate].crt -keystore [Common Name].jks

    Note: Please remember to change the name of the "[Common Name].jks" to the name of the *.jks file that you created the private key in.

  3. When prompted for the keystore password, enter in the password that was set.

  4. The command will verify the Root Certificate and want you to accept its trust.  Type in y or yes when prompted.

  5. Next, you will need to import the Intermediate Certificate into the Java KeyStore file.  This can be done by entering in the following command:

  6. keytool -import -trustcacerts -alias intermediate -file [intermediate certificate].crt -keystore [Common Name].jks

    Note: Please remember to change the name of the "[Common Name].jks" to the name of the *.jks file that you created the private key in.

  7. When prompted for the keystore password, enter in the password that was set.

  8. The command will verify the Intermediate Certificate and want you to accept its trust.  Type in y or yes when prompted.

  9. Next, you will need to import your SSL Certificate into the Java KeyStore file.  This can be done by entering in the following command:

  10. keytool -import -trustcacerts -alias [server] -file [Common Name].crt -keystore [Common Name].jks

    Note: Please remember to change the name of the "[server]" alias to the alias that you specified during the CSR generation.  If you used the QuoVadis Java Keytool Command Tool, this should be "server".  You must also change "[Common Name]" to the name of the *.jks file that you created the private key in.

  11. When prompted for the keystore password, enter in the password that was set.

  12. The command will verify your SSL Certificate and want you to accept its trust.  Type in y or yes when prompted.

Part II - Assigning the new Java KeyStore File in JBOSS

Once you have completely created your Java KeyStore file, you must now assign it in the JBOSS settings so that JBOSS will use the new SSL certificate.  In order to change these settings, you will have to open and edit the JBOSS Web Configuration File.  You may want to make a backup of this file before you edit it.

Note: You will have to plan ahead of time for this step as it requires a restart of JBoss Web.
  1. Open the JBOSS Web Configuration File with a simple text editor (such as notepad on Windows).
You must configure the <Connector /> section in this file.  If this is your first time configuring Tomcat, then please follow Step 2 and Step 3.  Otherwise, you may skip to Step 4.

If this is your first time configuring JBOSS, then you will first need to uncomment the Connector Configuration.  You may uncomment a section by removing the <!-- and --> around the section.
  1. You must also locate the port= part in the SSL Connector part and change it to 443.

  2. Below is an example of how it should look:

  3. <Connector
    port="8443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS"/>

  4. Edit the keystoreFile= part to match the path and filename of the Java KeyStore file.  The ${user.home} part should be changed to represent the base directory for the JBOSS instance.

  5. Edit the keystorePass= part to match the password that was set for the Java KeyStore file.

  6. When you have completed all of the steps, the <Connector /> tag in your JBOSS Web Configuration File should look similar to this:

    <Connector
    port="443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="${user.home}/[Common Name].jks" keystorePass="[your_password]"
    clientAuth="false" sslProtocol="TLS"/>


    Note: The parts in [bold] represent what should be changed from an fresh installation.

  7. Save the changes you have made to this file.

  8. In order to complete the process, you must restart JBOSS.

  9. You should verify through Firefox and Internet Explorer that the new certificate is visible and has been installed correctly.

Add Feedback