Hi Sharma. I found different guides to install the certificate so I will include the one that worked. If you have done this correctly you only have to edit the server.xml so that the right keystore and ports are being used.<br /><br />Guide from:<br /><br />I recently had to configure a production JBoss 3.2.5/Policy Server with<br />a server certificate from Entrust for SSL. Here are my notes on that.<br /><br />1) Create a keystore as well as a certificate-key pair using the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -genkey -keystore <keystore_filename><br />-storepass <keystore_password> -keypass <keystore_password> -keyalg RSA<br />-validity 365 -alias <alias_name> -dname<br />"cn=<fully_qualified_DNS_name_of_server>, OU=<department_name>,<br />O=<company_name>, ST=<state_or_province_name>, C=<country_name>"<br /><br />note: the quotes are required. -storepass and -keypass should be the<br />same. Make sure you get the fully_qualified_DNS_name_of_server exactly<br />right, if not you'll regret it later.<br /><br />2) Create a Certificate Signing Request (CSR) for the certificate in the<br />certificate-key pair you just created with the following command:<br />$JAVA_HOME\jre\bin\keytool -certreq -keystore<br /><full_path_to_the_keystore_filename> -alias <alias_name> -storepass<br /><keystore_password> -keypass <keystore_password> -keyalg RSA -file<br /><filename_for_the_CSR><br /><br />3) Get the customer's IT person in charge of the customer's SSL<br />certificates to login to their Certificate Authority's website to<br />request the Certificate Authority to sign the new certificate with their<br />own certificate. Copy-paste the contents of the <filename_for_the_CSR>.<br />It'll look like gobbledygook. The Certificate Authority can be<br />VeriSign, Entrust, Thawte or any other.<br /><br />4) Get the customer's IT person in charge of the customer's SSL<br />certificates to forward to you the response from the Certificate<br />Authority. If it is in the body of an e-mail, copy-paste the contents<br />(including the BEGIN CERTIFICATE and END CERTIFICATE lines) into a text<br />file, save as "All Files" with any filename like CA_signed_cert.cer<br /><br />5) Import the CA-signed certificate back into your keystore with the<br />following command:<br />$JAVA_HOME\jre\bin\keytool -import -trustcacerts -keystore<br /><keystore_filename> -storepass <keystore_password> -alias <alias_name><br />-keypass <keystore_password> -file <filename_for_the_CA_signed_cert><br /><br />If you fail to add the -trustcacerts parameter, you will get a "failed<br />to establish chain from reply" error. This is because the file cacerts<br />in $JAVA_HOME\jre\lib\security\ contains the public certificates of all<br />the popular CAs like VeriSign, Entrust and Thawte. To determine the<br />contents of the cacerts file (to verify if your CA is listed there), use<br />the following command:<br />$JAVA_HOME\jre\bin\keytool -list -keystore<br />$JAVA_HOME\\jre\lib\security\cacerts -storepass changeit<br />You will get an output like what is attached.<br /><br />6) Copy the keystore file to $JBOSS_HOME\conf\<br /><br />7) Edit server.xml in<br />$JBOSS_HOME\server\all\deploy\jbossweb-tomcat50.sar\ to point the<br />SSL/TLS Connector to the new keystore file like this:<br />keystoreFile="${jboss.server.home.dir}/conf/<keystore_filename>"<br />keystorePass="<keystore_password>"<br /><br />8) re-start JBoss.<br /><br />9) Access it with the URL<br />https://<fully_qualified_DNS_name_of_server>:8443<br /><a href=https://<fully_qualified_dns_name_of_server>:8443/> . It should work<br />and there should be no warning dialogs.<br /><br />- Jayan<br /><br />Jayan Kandathil<br />Adobe Consulting
