SSL Certificate Expiration

The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore.p12.

The default validity time for the SSL certificate is two years. When the certificate expires, you must generate a new one.

Renew Keystore

To generate a new certificate and renew the keystore, perform the following steps in the EJBCA user interface:

In the EJBCA RA UI, select Search → End Entities and search for the user tomcat.
Select Edit on the found user and set the Enrollment code to the same as the httpsserver.password in your conf/web.properties, and set the Status to New.
Open a command line in EJBCA_HOME and run:
XML
```
bin/ejbca.sh batch
```
Next, copy the EJBCA_HOME/p12/tomcat.p12 to APPSRV_HOME/standalone/configuration/keystore/keystore.p12.
- Optionally, you can run the following, but since ant deploy will do some other things as well, it is recommended to copy the file as described in Step 4.
  XML
```
ant deploy-keystore
```
Restart JBoss.

Renew Keystore using the CLI

To instead use the command line interface to renew the keystore, perform these steps:

Run the following in the CLI:

XML

bin/ejbca.sh ra setendentitystatus tomcat 10
bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
bin/ejbca.sh batch tomcat
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for application servers older than WildFly 24 
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks

Restart JBoss.

Optionally, you can use the following convenience ant target to simplify the process and save some typing. The ant target runs (it is running the above three ejbca.sh commands in succession):

Run the following in the CLI:

XML

ant renew-keystore
cp p12/tomcat.p12 $APPSRV_HOME/standalone/configuration/keystore/keystore.p12
#for application servers older than WildFly 24
#cp p12/tomcat.jks $APPSRV_HOME/standalone/configuration/keystore/keystore.jks

Restart JBoss.