🔒 How to Install an SSL Certificate on a WildFly / Java (Tomcat-Based) Server

Securing your WildFly or Java-based Tomcat application with HTTPS is an essential step before going live. In this post, I’ll walk you through how to correctly generate a keystore, create a CSR, import SSL certificates from a Certificate Authority (CA), and finally configure WildFly to use it. Similar steps can be followed for tomcat and other type of Java based App servers.

If you’ve ever encountered the dreaded “The KeyStore does not contain any keys” error — you’re not alone. This guide will help you install SSL the right way, step by step.

🧩 Environment Used

⚙️ Step-by-Step SSL Installation Guide

🪄 Step 1 — Generate a New Keystore and Private Key

(Recommended) On your server, go to following wildfly location:

cd /usr/local/share/wildfly/standalone/configuration/certs/2025/

Create a new Java keystore (.jks) and a private key inside it:

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -genkeypair \
  -alias your_alias_name \
  -keyalg RSA \
  -keysize 2048 \
  -keystore your_keystore_name.jks \
  -storepass your_pass \
  -keypass your_pass \
  -validity 365 \
  -dname "CN=your_alias_name,OU=IT,O=your_company_name,L=City,ST=State,C=Country"

Some notes:

1. Common Name (CN) — use your domain, e.g. yourdomain.com
2. Validity can be adjusted as required.
3. -alias you mention has to be same everywhere. As you’ll import the signed certificate back into this same alias.
4. The JKS contains the private key when you create a keypair with keytool -genkeypair. keytool does not write a separate .key PEM file by default.
5. (Optional) Verify the JKS actually contains a private key
   • Run this (use your keystore path and password):
   • Look at the output for the alias you created. If it says Entry type: PrivateKeyEntry → the private key is inside the JKS (normal).

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -list -v -keystore /path/to/your_alias_name.jks

🧾 Step 2 — Generate a Certificate Signing Request (CSR)

Use the same keystore to generate a CSR file for your SSL provider:

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -certreq \
  -alias your_alias_name \
  -file yourdomain.csr \
  -keystore your_keystore_name.jks \
  -storepass your_pass

🧾 Step 3 — Submit CSR to your CA (CheapSSL → Sectigo) website to get the signed certificate and intermediate chain.

1. First purchase Comodo PositiveSSL certificate from this website for ₹ 439.25/yr.
2. Upload your_domain.csr (generated from step 2) on CheapSSL website.
3. Select HTTP based method for domain verification.
4. Download the Auth File
5. Upload the file on your HTTP(S) server so that it can be publicly accessed and looks like this URL Path listed below:
   1. http://your_domain.com/.well-known/pki-validation/1234ABCDxxxxxxxxxxxxxxxxxxxx.txt
6. Go to the URL provided above to verify your file is publicly visible.
7. Click on Verify / Refresh on CheapSSL website and wait for 5 mins to get Certificates generated. The status of the order will go from Pending to Active.
   

📥 Step 4 — Download the Certificates from the CA
After your domain verification, your CA will provide several certificate files, typically including:

• A root certificate (sometimes inside a bundle file)
• Your domain certificate (e.g. yourdomain.crt)
• Intermediate certificates

Example Sectigo/Comodo files:

your_domain_com.crt
My_CA_Bundle.ca-bundle
SectigoPublicServerAuthenticationCADVR3.crt
SectigoPublicServerAuthenticationRootR46_USERTrust.crt
USERTrustRSACertificationAuthority.crt

Unzip and upload all the files to the server where you want to install the SSL Certificate i.e your wildfly server location:

/usr/local/share/wildfly/standalone/configuration/certs/2025/

🧩 Step 5 — Import Certificates in the Correct Order (IMP)
All commands below must use the same keystore you used to generate the CSR. The import order matters because it builds the full certificate chain.

1️⃣ Import the Root Certificate

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -importcert -trustcacerts -alias root1 \
  -file USERTrustRSACertificationAuthority.crt \
  -keystore your_keystore_name.jks \
  -storepass your_pass

Press yes when prompted to trust.

2️⃣ Import the Next Root / Intermediate (Sectigo Public Server Authentication Root R46)

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -importcert -trustcacerts -alias root2 \
  -file SectigoPublicServerAuthenticationRootR46_USERTrust.crt \
  -keystore your_keystore_name.jks \
  -storepass your_pass

3️⃣ Import the Intermediate CA (DV R36)

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -importcert -trustcacerts -alias root3 \
  -file SectigoPublicServerAuthenticationCADVR36.crt \
  -keystore your_keystore_name.jks \
  -storepass your_pass

4️⃣ Finally, Import Your Domain Certificate

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -importcert \
  -alias your_alias_name \
  -file yourdomain.crt \
  -keystore your_keystore_name.jks \
  -storepass your_pass

1. ✅ This step links the signed cert to the private key inside the keystore.
2. If it says something like “Certificate reply was installed in keystore”, it worked.

🔍 Step 6 — Verify the Keystore and recommended Steps

Check that your private key and full certificate chain are inside:

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -list -v -keystore your_keystore_name.jks \
   -storepass your_pass

✅ Look for:

Entry type: PrivateKeyEntry
Certificate chain length: 3 or 4

That confirms a proper full chain and private key inside the JKS.
If you see only trustedCertEntry, it means your certificate was imported into the wrong keystore or alias — go back and repeat Step 5.

If all looks good, then Set permissions for WildFly (Recommended)

sudo chown wildfly:wildfly /usr/local/share/wildfly/standalone/configuration/certs/2025/youd_domain.com.jks

sudo chmod 640 /usr/local/share/wildfly/standalone/configuration/certs/2025/youd_domain.com.jks

Note: If any issue occurred due to alias is already present then remove it from jks by using below command:

sudo /usr/lib/jvm/java-7-oracle/bin/keytool -delete -alias root -keystore youd_domain.com.jks
sudo /usr/lib/jvm/java-7-oracle/bin/keytool -delete -alias root1 -keystore youd_domain.com.jks
sudo /usr/lib/jvm/java-7-oracle/bin/keytool -delete -alias root2 -keystore youd_domain.com.jks
sudo /usr/lib/jvm/java-7-oracle/bin/keytool -delete -alias root3 -keystore youd_domain.com.jks

⚙️ Step 7 — Configure WildFly for HTTPS

Edit your WildFly configuration file (standalone.xml) and update your SSL realm:

/usr/local/share/wildfly_latest/standalone/configuration/standalone-full.xml

<server-identities>
    <ssl>
        <keystore path="path/to/your_keystore_name.jks"
                  relative-to="jboss.server.config.dir"
                  keystore-password="your_password" />
    </ssl>
</server-identities>

⚙️ Step 8 — Restart WildFly / Solr

If you have a Sold instances using same app server, you need to copy .jks file to sold folder as well.

sudo cp your_domain_com.jks /opt/solr/server/etc/

sudo service solr restart

Also restart WildFly and Check server logs:

sudo service wildfly restart

sudo tail -n 100 /usr/local/share/wildfly/standalone/log/server.log

If the SSL setup is correct, you won’t see any “does not contain any keys” or “failed to start ApplicationRealm.key-manager” errors.

🧪 Step 9 — Verify the HTTPS Certificate

From any system that can reach your server, run:

openssl s_client -connect yourdomain.com:8443 -showcerts </dev/null

You should see:

Verify return code: 0 (ok)

That confirms your SSL is installed and working perfectly.

🧠 Common Errors and Fixes

✅ Final Summary

• Always use one keystore from start to end
• Import certificates in correct order (root → intermediate → domain)
• Verify with keytool -list and openssl s_client
• The .jks file already includes the private key — no .key file required
• Works for WildFly, JBoss, or Tomcat-based Java servers

Hope you liked this post. If yes, share it with your colleagues and give us follow on our LinkedIn Page.

Until next time,

Happy coding!

Kailash Gajara