Setting up secure communication on a JBoss server often requires generating a public-private key pair and configuring it for SSL/TLS.
In this post, we'll walk you through the complete process of:
✅ Generating the key pair and keystore
✅ Exporting the public key
✅ Extracting the private key (optional step using OpenSSL)
✅ [Optional] Preparing for JBoss configuration
🛠 Step 1: Generate the Keystore with a Key Pair
Use Java’s built-in keytool to create a keystore with a self-signed certificate.
bash
keytool -genkeypair \
-alias server \
-keyalg RSA \
-keysize 2048 \
-keystore server.keystore \
-validity 365
📝 What the options mean:
OptionDescription-alias serverAlias to identify the key inside the keystore-keyalg RSARSA algorithm for encryption-keysize 2048Key length in bits (2048 = secure and common)-keystore server.keystoreFile where the keypair is stored-validity 365Valid for 1 year
You’ll be prompted to enter keystore password and organization details.
📤 Step 2: Export the Public Key (Certificate)
Now export the public key certificate to a file:
bash
keytool -export \
-alias server \
-file server.cer \
-keystore server.keystore
Then, print and verify the public key:
bash
keytool -printcert -file server.cer
✅ This certificate contains the public key in a human-readable format.
🔓 Step 3: Extract the Private Key (Optional)
Java's keytool does not allow direct private key export. To extract it, convert the keystore to PKCS12 format and use OpenSSL:
3.1 Convert the Keystore to PKCS12:
bash
keytool -importkeystore \
-srckeystore server.keystore \
-destkeystore server.p12 \
-srcstoretype JKS \
-deststoretype PKCS12 \
-srcalias server \
-destalias server \
-deststorepass changeit \
-srcstorepass changeit
Replace changeit with your actual keystore password.
3.2 Use OpenSSL to Extract the Private Key:
bash
openssl pkcs12 -in server.p12 -nocerts -out server-private.key -nodes
OptionDescription-nocertsDon’t include certificates, only the private key-nodesDon’t encrypt the private key in output
Now, you have server-private.key which holds your private key in PEM format.
🧩 Summary
FileDescriptionserver.keystoreContains the full keypair (used by JBoss)server.cerPublic key certificateserver.p12PKCS12 format (intermediate step)server-private.keyExtracted private key (PEM format)
⚙️ JBoss SSL Configuration (Optional)
Once you have your keystore, you can plug it into JBoss’s configuration:
In standalone.xml:
xml
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="server.keystore"
relative-to="jboss.server.config.dir"
keystore-password="changeit"/>
</ssl>
</server-identities>
</security-realm>
Don’t forget to restart JBoss after configuration changes.
🧠 Pro Tip
If you're setting up production SSL, you might consider:
- Getting a certificate signed by a CA
- Using Let’s Encrypt or other tools
- Managing your keystore securely (no hardcoded passwords!)