Skip to end of metadata
Go to start of metadata

In general you have two options to setup SSL/HTTPS support for your server:

In both cases you have to configure keys and (self-signed) certificates for your web server. This guide will briefly explain how to accomplish that for both options.

Pure Java SSL-Setup using keytool

We will generate a secret key/certificate and store it in a file called a "key store". The certificate is valid for 30 years = 10950 days. The password use for encryption is "secret".

One important issue is the common name (CN) of the certificate. For some reason this is referred to as "first and last name". It should however match the name of the web server, or some browsers like IE will claim the certificate to be invalid although you may have accepted it already.

Step 1: Generate key

 $ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
What is the name of your organizational unit?
  [Unknown]:  Foo
What is the name of your organization?
  [Unknown]:  acme corp
What is the name of your City or Locality?
  [Unknown]:  Duckburg
What is the name of your State or Province?
  [Unknown]:  Duckburg
What is the two-letter country code for this unit?
  [Unknown]:  WD
Is, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct?
  [no]:  yes

Enter key password for <deva> secret
    (RETURN if same as keystore password):  
Re-enter new password: secret

Step 2: Configure JBoss

Native SSL-Setup using OpenSSL

Again we will generate a private key and a self-signed certificate. Additionally, you can also export the certificate to a pkcs12 format file.
You can import it into the Windows certificate storage if you have problems with the Internet Explorer.

Step 1: Generate key
$ openssl genrsa -des3 -out foo.pem 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for foo.pem: secret
Verifying - Enter pass phrase for foo.pem: secret
Step 2: Generate certificate
$ openssl req -new -x509 -key foo.pem -out foo-cert.pem -days 10950
Enter pass phrase for foo.pem: secret
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:WD
State or Province Name (full name) [Some-State]:Duckburg
Locality Name (eg, city) []:Duckburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme Corp
Organizational Unit Name (eg, section) []:Foo
Common Name (eg, YOUR name) []
Email Address []:
Step 3: (Optional) Generate PKCS12 file
$ openssl pkcs12 -export -in foo-cert.pem -inkey foo.pem  -out foo.p12
Enter pass phrase for foo.pem: secret
Enter Export Password: secret
Verifying - Enter Export Password: secret
Step 4: Configure JBoss

Port configuration

The above example assumes that you have configured JBoss to use the standard ports 80 (HTTP) and 443 (HTTPS). Accesses to the HTTP port will be redirected HTTPS.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Feb 19, 2013

    I followed yours steps in this article...but got some errors at all. So I used another example


    This one works fine...

  2. Feb 19, 2013

    That article refers to AS 7.1.2.

    I have not tried my setup with 7.1.2 nor with 7.1.3

    Please be more specific about what errors occured...



  3. Feb 19, 2013

    This could be the reason...I'm using 7.1.0 (standalone)...about error:

    12:31:08,243 ERROR [] (MSC service thread 1-14) Failed to load keystore type JKS with path /opt/flagme/ssl/flagme.pem due to Invalid keystore format: Invalid keystore format

            at [rt.jar:1.7.0_02]

            at$JKS.engineLoad( [rt.jar:1.7.0_02]

            at [rt.jar:1.7.0_02]

            at [jbossweb-7.0.10.Final.jar:]

            at [jbossweb-7.0.10.Final.jar:]

            at [jbossweb-7.0.10.Final.jar:]

            at [jbossweb-7.0.10.Final.jar:]

            at [jbossweb-7.0.10.Final.jar:]

            at [jbossweb-7.0.10.Final.jar:]

            at org.apache.coyote.http11.Http11Protocol.init( [jbossweb-7.0.10.Final.jar:]

            at org.apache.catalina.connector.Connector.init( [jbossweb-7.0.10.Final.jar:]

            at [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

  4. Feb 18, 2014

    Hi Markus,

    on what file(s) do you configure JBoss and the port?


  5. Apr 18, 2014

    Good day Markus,

    I'v faced the same problem ( Invalid keystore format) as Giulliano. The solution for me was setting native="true" in subsystem configuration section (the default value is "false").

    I think it is worth to emphasize on this point.

    Anyway, thanks for this wiki page!

  6. Mar 29, 2016

    @Giulliano Morroni - unfortunately the link doesn't work, and I'm getting IOException: Invalid keystore format - do someone has something to solve this?