The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.p12.
For application servers older than WildFly 24 that use the JKS format, the keystore is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.jks
The default validity time for the SSL certificate is two years. When the certificate expires, you must generate a new one.
Renew Keystore
To generate a new certificate and renew the keystore, perform the following steps in the EJBCA user interface:
In the EJBCA RA UI, select Search → End Entities and search for the user tomcat.
Select Edit on the found user and set the Enrollment code to the same as the httpsserver.password in your conf/web.properties, and set the Status to New.
Open a command line in EJBCA_HOME and run:
bin/ejbca.sh batch
XML
Next, copy the EJBCA_HOME/p12/tomcat.p12 to APPSRV_HOME/standalone/configuration/keystore/keystore.p12. For application servers older than WildFly 24 that use the JKS format, this would be EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/standalone/configuration/keystore/keystore.jks.
Optionally, you can run the following, but since ant deploy will do some other things as well, it is recommended to copy the file as described in Step 4.
ant deploy-keystore
XML
For application servers older than WildFly 24 that use the JKS format, the file would be Ant deploy will do some other things as well, so if you are not sure, just copy the file.
Restart JBoss.
Renew Keystore using the CLI
To instead use the command line interface to renew the keystore, perform these steps:
Run the following in the CLI:
bin/ejbca.sh ra setendentitystatus tomcat 10
bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
bin/ejbca.sh batch tomcat
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for application servers older than WildFly 24
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
XML
Restart JBoss.
Optionally, you can use the following convenience ant target to simplify the process and save some typing. The ant target runs (it is running the above three ejbca.sh commands in succession):
Run the following in the CLI:
ant renew-keystore
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for application servers older than WildFly 24
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
For application servers older than WildFly 24 that use the JKS format, this would be EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/standalone/configuration/keystore/keystore.jks.