(Optional) Obtain and Import a Trusted Certificate into the Administrative UI

When the Administrative UI is accessed over SSL, the server secures the connection using a self-signed certificate by default. This content describes how to replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI and prevents browser security warnings.
casso127
When the Administrative UI is accessed over SSL, the server secures the connection using a self-signed certificate by default. This content describes how to replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI and prevents browser security warnings.
: This content also applies to the REST APIs and REST API interactive reference documentation, which are also served by the Administrative UI and are always provided over an SSL connection.
Follow these steps:
  1. Stop the Administrative UI service.
  2. Open a command window and navigate to the following directory:
    • Windows
      :
      AdminUI_Install_Directory
      \standalone\configuration
    • UNIX
      :
      AdminUI_Install_Directory
      /standalone/configuration
  3. Run one of the following commands to backup the existing keystore file (keyStore.jks) to a secure location:
    • Windows
      :
      copy keyStore.jks keyStore.jks.backup
    • UNIX
      :
      cp keyStore.jks keyStore.jks.backup
  4. Run the following command to list the current entries in the Administrative UI keystore:
    keytool -list -keystore keyStore.jks -storepass changeit -v
    : "changeit" is the default keystore password. If you have changed the password, use that password instead of "changeit."
  5. Run the following command to delete the current self-signed certificate and key pair from the keystore:
    keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v
    ("tomcat" is the alias for the default self-signed certificate and keypair.)
  6. Run the following command to generate a key pair (public and private keys) and a self-signed certificate and store in the Administrative UI keystore"
    keytool -genkeypair -alias jboss_key -keyalg RSA -keysize 1024 -sigalg SHA256withRSA -
    dname
    "CN=
    AdminUI_FQDN
    " -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v
    Notes
    :
    • The new self-signed certificate is named "jboss_key."
    • AdminUI_FQDN
      is the fully qualified domain name of the Administrative UI server.
       
    • The -keypass and -storepass values (both "changeit" here) must be the same as the keystore password. If you have changed the password, use that password instead of "changeit" in both cases.
    A key pair and a self-signed certificate are generated and stored in the keystore.
  7. Open the
    standalone-full.xml
    file in a text editor and change make the following change:
     Change
    keyAlias="tomcat"
    to
    keyAlias="jboss_key"
    (all lowercase).
  8. Run the following command to generate a PKCS#10 Certificate Signing Request (CSR) file:
    keytool -certreq -alias jboss_key -sigalg SHA256withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v
    A CSR file named
    adminui_certreq.p10
    is generated.
  9. Submit the 
    adminui_certreq.p10
    file to a trusted Certificate Authority (CA) for signing.
  10. When you receive the signed certificate from the CA, run the following command to import it:
    keytool -importcert -alias jboss_key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v
     
    Notes
    :
    • adminui_cert.p7b
      is the signed certificate request from the CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any), and root certificates. 
    • If only a server certificate is provided, then you might also need to import the intermediate and root certificate.
    • This command overwrites the previously created self-signed certificate with the certificate that is provided by the CA.
  11. Start the Administrative UI service and verify that the new trusted certificate is in effect. If the trusted certificate is not in effect, look in 
    AdminUI_Install_Directory
    /standalone/log/server.log for possible errors.