SSL Certificate Expiration

The SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

You can do this through the Admin GUI by:

  1. Go to List/Edit End Entities and search for user tomcat.
  2. Edit_End_Entity and set the password to the same as httpsserver.password in your conf/web.properties and Status to New.
  3. Open up a command line in EJBCA_HOME and run 

    bin/ejbca.sh batch
  4. Copy EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/server/default/conf/keystore.jks, or run 

    ant deploy-keystore


    Ant deploy will do some other things as well, so if you are not sure, just copy the file.

  5. Restart JBoss.

You can also do everything using the CLI:

  1. Run the following in the CLI:

    bin/ejbca.sh ra setendentitystatus tomcat 10
    bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
    bin/ejbca.sh batch tomcat
    cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
  2. Restart JBoss.

A small convenience ant target is present which can simplify the process and save some typing (it's running the above three ejbca.sh commands in succession):

  1. Run the following in the CLI:

    ant renew-keystore
    cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
  2. Restart JBoss.