I am currently in the process of converting all my private machines to SSL only communication. I personally think that this has become a must-have not only in business but also in your private life.
For my private applications, I have been trying to avoid the cost for SSL certificates, but at the same time, use of self-signed certificates seemed insufficient. So I was happy when I came across
letsencrypt, a free and automated certificate authority.
I am running a couple of PLESK managed machines, and there is a (beta stadium) plugin available that fully covers the communication with the letsencrypt service and also takes care of the automatic renewal of certificates before they expire. While this plugin works out of the box for the Apache http server and NGINX, there is no full support yet for servlet containers and application servers such as e.g. Tomcat or Wildfly. As I am experimenting with Wildfly based applications, that is exactly what I would need. So here's what I did to get it to work:
For the static html part of my website, I am still using the Apache service. So, I am letting the Plesk plugin mentioned earlier take care of the automated certificate retrieval and renewal process. As a result, symlinks to the current components of my certificate and the verification chain can always be found under
/etc/letsencrypt/live/[mydomainname].
The challenge was that letsencrypt provides everything in form of PEM formatted files. Wildfly however works with Java keystores which by definition cannot directly process PEM.
So, in a first step, I had to convert everything to PKCS12, which is fairly simple using the
openssl tools once you know the required parameters:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.pkcs12 \
-alias [mydomain] -CAfile chain.pem -caname root
This command created the pkcs12 formatted file I need (cert_and_key.pkcs12). It contains the full certificate chain as well as the private signing key. The other file names are the ones generated by letsencrypt. You will be asked for an export password. Here, you can use something very simple ('secret' in my example), as you will only need it once for the following step.
keytool -importkeystore -srckeystore cert_and_key.pkcs12 -srcstoretype PKCS12 \
-srcstorepass secret -destkeystore mykeystore.jks -deststorepass [strongpassword] \
-destkeypass [strongpassword]
Please make sure to keep the passwords for store and key in a safe place.
Okay, so now we have a java keystore holding everything required to enable secure communication between client software and my server. In a final step, I needed to let Wildfly know where to find my keystore and how to use it.
This is a pretty straight-forward process. I am using the Wildfly server in standalone mode, so the config file I have to edit is
standalone.xml. Please check the documentation to find out which configuration file is the one to modify for your particular run mode.
...not done yet, here. This portion will follow soon. Keep hanging in...
