4 Replies Latest reply on Oct 10, 2012 11:14 AM by Ay Kay

    SSL with .pem and private Key

    Ay Kay Newbie

      Hi there.


      I was told to make JBoss talk HTTPS and was given a certification file which is a .PEM file and a private key file. The certification file heads with

      -----BEGIN CERTIFICATE-----

      and has a public key. The private key file heads with

      -----BEGIN RSA PRIVATE KEY-----

      My try to make JBoss listen to 8443 utilizing this certification in standalone.xml is


      <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

           <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

           <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

           <ssl name="PROJECTNAME-SSL" password="myCoolPassword" certificate-key-file="../standalone/configuration/PROJECTNAME.keystore" protocol="TLSv1" ca-certificate-file="../standalone/configuration/RapidSSL_Intermediate_CA.pem" verify-client="true" />



      As you can see I added the certificate file to a keystore using keytool. This is about the command I used:

      keytool -import -alias OUR_COOL_DOMAIN -file RapidSSL_Intermediate_CA.pem -keystore PROJECTNAME.keystore


      But all this is to no avail. The response to

      is ERROR: Connection failed in the browser. HTTP (8080) works, of course.


      netstat -an tells me

      tcp    0*           LISTEN
      tcp    0*           LISTEN
      tcp    0*           LISTEN
      tcp    0 IP-ADDRESS:8080*           LISTEN

      but no mentioning of 8443.


      The end of standalone.xml says


      <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

           <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>

           <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

           <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

           <socket-binding name="ajp" port="8009"/>

           <socket-binding name="http" port="8080"/>

           <socket-binding name="https" port="8443"/>


      Found some approaches to SSL, but nothing with .PEM and PK file.

      Is somebody an expert in this? Where am I going wrong?




        • 1. Re: SSL with .pem and private Key
          Ay Kay Newbie

          Meanwhile I made JBoss (7.1.1) listen to port 8443 via HTTPS by this:


               <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                    <ssl name="https" password="myCoolPassword"


                         protocol="TLSv1" verify-client="false"




          I created the keystore once again. This time by:


               keytool -import -trustcacerts -alias OUR_DOMAIN -keystore PROJECTNAME.keystore -file RapidSSL_Intermediate_CA.pem


          Again, the private key file I was given by the admin has not been applied or mentioned anywhere. (This troubles me somewhat, but I didn't find a hint where to make use of such a private key file. I tried to import it into the keystore but was told that it is a "Keytool-Error: java.lang.Exception: Input not a X.509-Certificate". So I keep ignoring the private key file. A mistake?)



          netstat -an | grep :8

          tells me

          tcp    0 IP-ADDRESS:8080*           LISTEN
          tcp    0 IP-ADDRESS:8443*           LISTEN


          And the browser is now able to contact the site (JBoss) via


          but yielding a

               Secure connection failed (Error-Code: ssl_error_no_cypher_overlap) (in Firefox 15)


               Secure connection: Severe Error (40) of servers. (in Opera 12)

          • 2. Re: SSL with .pem and private Key
            Ay Kay Newbie

            Meanwhile I was given a new certificate file by the admin ending with .crt and this one I can finally import into the keystore. But still, the browser / server communication via httpS://host:8443/projectURL does not work.

            I really tried a lot of settings in standalone.xml but I cannot finish this project because JBoss seems to be unmanageable in this area. Documentation is also very poor.


            Opera 12 tells me that "the connection could not be established"....

            Cannot tell you guys how much this sucks....


            Final note: I cannot provide a key-alias because I wasn't given one. So I keep ignoring such one in my standalone.xml setting. All I have is a keystore filled with the public certificate of the CA (Certification Authority) and a private cert (.crt). I imported the first using alias "root" and the latter using the alias "PROJECT-NAME".



            • 3. Re: SSL with .pem and private Key
              Nicklas Karlsson Master



                * You created the csr file against (or creating) a keystore. No errors?

                 * You had the csr signed and got a crt back. No errors?

                 * You imported the crt into the keystore, trusting CA:s. No errors?


              What is the exact error log now that the AS boots? The problem probably comes from ignoring the alias, it is given at csr creation time




              • keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
              • keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
              • keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
              • keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks


              • 4. Re: SSL with .pem and private Key
                Ay Kay Newbie

                Thanks Nicklas Karlsson.


                I wasn't creating a certification request myself.

                I was given a certificate from the admin.


                I was told to make that wilcard certificate fly with JBoss just the way it already flies with apache. Re-issueing a certificate for JBoss at the CA's site was strictly forbidden. So I started somewhat deeper the usual Java certification process. No CSR request file on my part involved.


                Despite that, thanks for your commands summary. This pattern of instructions confirmed me I was actually doing it right and it will surely be helpful to the next wave of folks dealing with JBoss/SSL.


                Today I made it fly with openssl.