Alan Baugher

Steps to update the server cert for Wildfly for TCP 8443

Discussion created by Alan Baugher Employee on Nov 16, 2018
Latest reply on Nov 27, 2018 by Alan Baugher



If a client is using external load-balancers (F5) or intermediate Web Servers, there may be a need to update the default self-sign server cert for the Wildfly/JBoss services.


The scenario covered is for CA Identity Suite (IM, IG, IP), but may reference for other J2EE instances.



Below are the steps to update, if you receive a complete PFX file.

- Note:   If possible, request SANS addresses for all FQDN and IP addresses to be used for the Identity Suite environment to lower TCO and allow the client to rotate this file as often as they like, instead of having three (3) or more unique certs.







Step01: View the J2EE / Wildfly JKS used for path and current password for the keystore.


grep -C 2 keystore /opt/CA/wildfly-idm/standalone/configuration/ca-standalone-full-ha.xml

<keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>

Step02: View current Self-Sign Cert and then delete it from the caim-srv JKS keystore [backup the JKS keystore first]

 -  Under this path:  /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates 

keytool -printcert -v -file caim-srv.cer [May identify the current alias from this file]
keytool -list -v -keystore caim-srv -store-pass changeit -alias caim-srv-01
keytool -delete -keystore caim-srv -store-pass changeit -alias caim-srv-01
keytool -list -v -keystore caim-srv -store-pass changeit -alias caim-srv-01


Step03: Change pfx password to match the IM default JKS password (this is currently hardcoded in ca-standalone-full-ha.xml as changeit]

  -  Avoid error message:   JBAS015229: Unable to start service    Cannot recover key

keytool -importkeystore -srckeystore idm.test.companyABC.dom.pfx -srcstorepass company123 -srcstoretype pkcs12 -destkeystore caim-srv.pkcs12 -deststoretype pkcs12 -deststorepass changeit -destkeypass changeit


Step04: Import the intermediate pfx (with new password of changeit) into the Wildfly JKS file caim-srv.


keytool -importkeystore -srckeystore caim-srv.pkcs12 -srcstorepass changeit -srcstoretype pkcs12 -destkeystore caim-srv -deststoretype JKS -deststorepass changeit

Step05: Restart IM and monitor the wildfly-console.log; ensure that TCP 8443 does start and listen

grep -C 2 -i https /opt/CA/wildfly-idm/standalone/log/wildfly-console.log

10:28:24,853 INFO [] (MSC service thread 1-1) JBAS015973: Starting subdeployment (runtime-name: "castylesr5.1.1.war")
10:28:24,880 INFO [] (MSC service thread 1-1) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
10:28:25,033 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTPS listener https listening on /
10:28:26,545 INFO [] (MSC service thread 1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 4.3.2.Final
10:28:29,031 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017534: Registered web context: /castylesr5.1.1


Step06: View certs from on 8443 (use browser or openssl)

openssl s_client -connect caim-srv-01:8443 -showcerts


Step07: Need to add the public root CA cert to "TRUSTED" CA section of JKS, to avoid "self-signed cert" message. [use browser or openssl to capture this final root cert]

keytool -import -trustcacerts -file -alias Clients_public_CA_root_cert -keystore caim-srv -store-pass changeit


Step08: Retest with openssl to ensure correct server cert and the CA public root cert are properly deployed. [Should see error return code 0 (zero)]

openssl s_client -connect caim-srv-01:8443 -showcerts -CAfile


Step09: To test with FQDN from client; add in the FQDN to the custom vApp Alias file: /opt/CA/VirtualAppliance/custom/hosts & execute alias: configureCustomHostRecords

vi /opt/CA/VirtualAppliance/custom/hosts idm.test.companyABC.dom



Step10: Retest with FQDN and openssl

openssl s_client -connect idm.test.companyABC.dom:8443 -showcerts -CAfile

Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5BEEFA84E70684E48ABF1177DA77AF389A1F783A7499C35CBF5407A4BE0E2B62
Master-Key: 10E66BFE580454ADE9E1775C3F77ECDCBDE36C9599CAED3F017284CC4755C06548115E599BBABD42BF73D6B99745CB9C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1542388356
Timeout : 300 (sec)
Verify return code: 0 (ok)