Skip to main content
Skip table of contents

SSL Certificate Expiration

The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.p12.

For application servers older than WildFly 24 that use the JKS format, the keystore is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.jks

The default validity time for the SSL certificate is two years. When the certificate expires, you must generate a new one.

Renew Keystore 

To generate a new certificate and renew the keystore, perform the following steps in the EJBCA user interface:

  1. In the EJBCA RA UI, select Search → End Entities and search for the user tomcat.
  2. Select Edit on the found user and set the Enrollment code to the same as the httpsserver.password in your conf/web.properties, and set the Status to New.
  3. Open a command line in EJBCA_HOME and run:

    XML
    bin/ejbca.sh batch
  4. Next, copy the EJBCA_HOME/p12/tomcat.p12 to APPSRV_HOME/standalone/configuration/keystore/keystore.p12.
    (warning) For application servers older than WildFly 24 that use the JKS format, this would be EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/standalone/configuration/keystore/keystore.jks.

    1. Optionally, you can run the following, but since ant deploy will do some other things as well, it is recommended to copy the file as described in Step 4.

      XML
      ant deploy-keystore

      (warning) For application servers older than WildFly 24 that use the JKS format, the file would be
      Ant deploy will do some other things as well, so if you are not sure, just copy the file.

  5. Restart JBoss.

Renew Keystore using the CLI

To instead use the command line interface to renew the keystore, perform these steps:

  1. Run the following in the CLI:

    XML
    bin/ejbca.sh ra setendentitystatus tomcat 10
    bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
    bin/ejbca.sh batch tomcat
    cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
    #for application servers older than WildFly 24 
    #cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
    
  2. Restart JBoss.

Optionally, you can use the following convenience ant target to simplify the process and save some typing. The ant target runs (it is running the above three ejbca.sh commands in succession):

  1. Run the following in the CLI:

    XML
    ant renew-keystore
    cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
    #for application servers older than WildFly 24
    #cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks
    
  2. Restart JBoss.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.