Configuring a test SSL certificate for Jboss

I just had to set up a test certificate for my local install of Jboss 4.2.3 to try out some SSL code. It wasn’t completely obvious so here are some notes on how to do it.

First off you need to create a self-signed certificate. You do this using the keytools application that comes with Java. Open a command prompt and run the following command. You will need to change the path to your Jboss conf directory to reflect your install:

C:\>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\jboss-4.2.3.GA\server\default\conf\localhost.keystore

When prompted use a password of changeit everywhere. It’s important that you answer localhost to the first question:

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?

What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?

Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=NZ correct?


Enter key password for
        (RETURN if same as keystore password): changeit
Re-enter new password: changeit

Next up you need to configure tomcat to create a SSL connector.

Edit C:\jboss-4.2.3.GA\server\default\deploy\jboss-web.deployer\server.xml and find the commented out SSL connector example, uncomment it and tweak it as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>

Finally add two System properties to your Jboss startup command to get the javax.net.ssl library to use your new keystore. These are only needed if you need to make SSL calls back to yourself. I needed them because I had CAS and 3 apps authenticating with CAS all running in the same dev Jboss instance:

-Djavax.net.ssl.trustStore=C:\jboss-4.2.3.GA\server\default\conf\localhost.keystore
-Djavax.net.ssl.trustStorePassword=changeit

Ok now browse to http://localhost:8443/

Your browser will complain about a self-signed certificate. Just follow your browser’s instructions to add this certificate as a security exception so you won’t be prompted again and you are all done.