User Tools

Site Tools


SSL/TSL Certificates

When using HTTPS on your server you should most probably also provide a valid TLS (aka SSL) certificate. Otherwise browsers tend to block access to your page or at least give a big warning that the page is not secure.

Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Workflow when using WildFly

WildFly is not directly supported, so we have to use certbot's standalone mode. Install certbot (see


Install certbot:

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot
sudo mkdir /opt/letsencrypt; cd /opt/letsencrypt

Then use interactive certificate creation (make sure port 80 or 443 are available!):

# sudo systemctl stop wildfly
sudo certbot certonly --standalone -d YOURDOMAIN

Then certificates reside in /etc/letsencrypt/live/YOURDOMAIN

FIXME document backing up of certificates

Create Java Keystore

Now we have to create a java keystore (.jks) for use with WildFly. Adapt the variables to match your use case, and note, that you should delete the lines containing passwords from your ~/.bash_history (or equivalent):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem -inkey /etc/letsencrypt/live/${YOURDOMAIN}/privkey.pem -out ${YOURKEYSTORENAME}.p12 -name ${KEYSTOREALIAS} -passout pass:${OPENSSL_PASS}
sudo keytool -importkeystore -deststorepass ${WILDFLY_NEW_STORE_PASS} -destkeypass ${WILDLFY_NEW_KEY_PASS} -destkeystore ${NEW_KEYSTORE_FILE}.jks -deststoretype PKCS12 -srckeystore ${YOURKEYSTORENAME}.p12 -srcstoretype PKCS12 -srcstorepass ${OPENSSL_PASS} -alias ${KEYSTOREALIAS}

Copy the keystore to WildFly:

sudo cp ${NEW_KEYSTORE_FILE}.jks /opt/wildfly/standalone/configuration
sudo chown wildfly:nogroup /opt/wildfly/standalone/configuration/${NEW_KEYSTORE_FILE}.jks
WildFly Setup

Update the WildFly configuration in /opt/wildfly/standalone/configuration/standalone.xml in section server → management:

<security-realm name="SslRealm">
            <keystore path="NEW_KEYSTORE_FILE.jks" 
Update certificate

Since the certificates are not valid for long (3 months) we need regular updates. Check the validity of your certificates:

sudo certbot certificates

In case WildFly uses port 80/443 you have to shut it down now. Unfortunately you can not specify a different port for the validation, see certbot --help standalone (especially the option --tls-sni-01-port), and

Then renew the certificate (updates /etc/letsencrypt/live/${YOURDOMAIN}/fullchain.pem):

sudo certbot renew

Then repeat the steps for creating a new java keystore.

ssl_tsl_certificates.txt · Last modified: 2018/11/09 13:41 by mstraub