SSL Certificate Expiration

The SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

You can do this through the Admin GUI by:

1. Go to List/Edit End Entities and search for user tomcat.

2. Edit_End_Entity and set the password to the same as httpsserver.password in your conf/web.properties and Status to New.

3. Open up a command line in EJBCA_HOME and run

   bin/ejbca.sh batch

4. Copy EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/server/default/conf/keystore.jks, or run

   ant deploy

   Ant deploy will do some other things as well, so if you are not sure, just copy the file.

5. Restart JBoss.

You can also do everything using the CLI:

1. Run the following in the CLI:

   bin/ejbca.sh ra setendentitystatus tomcat 10

   bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>

   bin/ejbca.sh batch tomcat

   cp p12/tomcat.jks $APPSRV_HOME/server/default/conf/keystore.jks

2. Restart JBoss.

A small convenience ant target is present which can simplify the proceess and save some typing (it's running the above three ejbca.sh commands in succession):

1. Run the following in the CLI:

   ant renew-keystore

   cp p12/tomcat.jks $APPSRV_HOME/server/default/conf/keystore.jks

2. Restart JBoss.