Posted on: September 18, 2015 Posted by: Mohit Mathur Comments: 0

 1)Create KeyStore <Path_to_Keystore>/keystore/  

keytool -genkey -alias <Alias_Name> -keyalg RSA -keystore <Keystore_Name> -validity 3650
Enter keystore password: <Keystore_Password>
What is your first and last name? [Unknown]: <Server’s FQDN>
What is the name of your organizational unit? [Unknown]: <OU>
What is the name of your organization? [Unknown]: <O>
What is the name of your City or Locality? [Unknown]: <City>
What is the name of your State or Province? [Unknown]: <State>
What is the two-letter country code for this unit? [Unknown]: <Country>
correct? [no]: yes
Enter key password for <”<Alias_Name>”>
(RETURN if same as keystore password):


Now, we have keystore with Private Keys which can be referred by using its alias. Please note that there can be multiple certs in keystore, hence particular cert is referred through its own alias name.


2) Create CSR (i.e. cert request) using the keystore generated above

keytool -keystore <Keystore_Name> -certreq -file <CSR_File_Name> -alias <Alias_Name> -keyalg RSA -keysize 2048

This command will create CSR file which needs to be sent to CA (Certificate Signing Authority like geotrust, etc)


3) Send CSR to CA and receive cert from them.


4) Save certificate received from CA on Jboss host say new.cert

Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.


5) Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.


6) Import chain certificates into Keystore

keytool -import -trustcacerts -alias <Root_Alias_Name> -file new.cert -keystore <Keystore_Name>


7) Import Server certificate saved in step 4.

keytool -import -alias <Alias_Name> -keystore <Keystore_Name> -file new.cert


While executing above command you need to make sure that root certificates and intermediate certificates are imported into the keystore (as per step 5) with different alias names. Otherwise you will get error while importing server cert for incomplete certificate chain.

Now we have our keystore ready, we need to configure Jboss to use this cert and key store


8) add the following to start script so that keystore<Path_to_Keystore>/keystore/<Keystore_Name>


9) encrypt the key store password

$CATALINA_HOME represents the directory into which you installed JBoss Web.

java -cp $CATALINA_HOME/conf/production/lib/log4j.jar: $CATALINA_HOME/conf/deploy/EncryptSystemPropertiesService.sar org.jboss.example.EncryptSystemPropertiesService <Keystore_Password>

eg Encrypted value: -2fb183249ad47b59207a6df87216de44       


10) add encrypted keystore password to so that it does not need to be in clear text.

$CATALINA_HOME represents the directory into which you installed JBoss Web.

Path : $CATALINA_HOME/conf/

bash-2.03$ more


11) edit tomcat server.xml to enable ssl so that keystore parameters are passed in and not hardcoded.

The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed JBoss Web.


 <!-- SSL/TLS Connector configuration using the admin devl guide keystore
       <Connector protocol="HTTP/1.1" SSLEnabled="true"
            port="8443" address="${jboss.bind.address}"
            scheme="https" secure="true" clientAuth="false"
            keystorePass="${}" sslProtocol = "TLS" />
            keystorePass="rmi+ssl" sslProtocol = "TLS" />



Start your Jboss server and it should be listening on SSL port 🙂

Dont forget to like the factsLove facebook page to get the updates on my blogs 🙂



About the author: Mohit Mathur Blogger
Tell us something about yourself.

Get involved!


No comments yet