SSL Certificate Expiration

The SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

You can do this through the Admin GUI by:

  1. Go to List/Edit End Entities and search for user tomcat.

  2. Edit_End_Entity and set the password to the same as httpsserver.password in your conf/ and Status to New.

  3. Open up a command line in EJBCA_HOME and run

    bin/ batch
  4. Copy EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/server/default/conf/keystore.jks, or run

    ant deploy

    Ant deploy will do some other things as well, so if you are not sure, just copy the file.

  5. Restart JBoss.

You can also do everything using the CLI:

  1. Run the following in the CLI:

    bin/ ra setendentitystatus tomcat 10
    bin/ ra setclearpwd tomcat <password from httpsserver.password>
    bin/ batch tomcat
    cp p12/tomcat.jks $APPSRV_HOME/server/default/conf/keystore.jks
  2. Restart JBoss.

A small convenience ant target is present which can simplify the proceess and save some typing (it's running the above three commands in succession):

  1. Run the following in the CLI:

    ant renew-keystore
    cp p12/tomcat.jks $APPSRV_HOME/server/default/conf/keystore.jks
  2. Restart JBoss.