JBoss/WildFly

Prerequisites

Feedback
A JBoss/WildFly application server running on a Linux system with administrative access.
Feedback
A certificate profile configured with the ACME enrollment method in Hanzo KMS.
Feedback
Network connectivity from your JBoss/WildFly server to Hanzo KMS.
Feedback
Port 80 open and reachable for ACME HTTP-01 validation.
Feedback
Java Development Kit (JDK) installed for keystore management tools.

Guide

Navigate to your certificate management project in Hanzo KMS and locate your certificate profile configured with the ACME enrollment method.

Click the Reveal ACME EAB option to view the ACME configuration details.

From the ACME configuration, gather the following values:

• ACME Directory URL: The URL that Certbot will use to communicate with Hanzo KMS's ACME server. This takes the form https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory.
• EAB Key Identifier (KID): A unique identifier that tells Hanzo KMS which ACME account is making the request.
• EAB Secret: A secret key that authenticates your ACME client with Hanzo KMS.

Keep your EAB credentials secure as they authenticate your ACME client with KMS PKI. These credentials are unique to each certificate profile and should not be shared.

Install Certbot on the server where JBoss/WildFly is running by following the official Certbot installation guide.

The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version of Certbot.

After installation, you can verify that Certbot has been installed correctly by running:

certbot --version

Since JBoss/WildFly doesn't have a native Certbot plugin, use the standalone authenticator to obtain certificates. Important: You must stop JBoss/WildFly before running this command as Certbot needs to bind to port 80 for the HTTP-01 challenge.

Stop your JBoss/WildFly server:

sudo systemctl stop wildfly
# or for older JBoss versions
# sudo systemctl stop jboss

Run the following command to request a certificate from Hanzo KMS:

sudo certbot certonly \
  --standalone \
  --server "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" \
  --eab-kid "your-eab-key-identifier" \
  --eab-hmac-key "your-eab-secret" \
  -d example.kms.hanzo.ai \
  --email admin@example.com \
  --agree-tos \
  --non-interactive

For guidance on each parameter:

• certonly: Instructs Certbot to request a certificate without modifying your JBoss/WildFly configuration; this mode is recommended because JBoss/WildFly requires certificates in Java keystore format rather than the PEM format that Certbot provides.
• --standalone: Uses Certbot's standalone authenticator to solve the HTTP-01 challenge by starting a temporary web server on port 80.
• --server: The Hanzo KMS ACME directory URL from Step 1. This instructs Certbot to communicate with Hanzo KMS's ACME server instead of Let's Encrypt.
• --eab-kid: Your External Account Binding (EAB) Key Identifier from Step 1.
• --eab-hmac-key: The EAB secret associated with the KID from Step 1.
• -d: Specifies the domain name for which the certificate is being requested.
• --email: The contact email for expiration notices and account recovery.
• --agree-tos: Accepts the ACME server's Terms of Service.
• --non-interactive: Runs Certbot without prompting for user input (recommended for automation).

The Certbot command generates a private key on your server, creates a Certificate Signing Request (CSR) using that key, and sends the CSR to Hanzo KMS for certificate issuance. Certbot stores the private key and resulting leaf certificate and full certificate chain in /etc/letsencrypt/live/{domain-name}/.

Because JBoss/WildFly requires certificates in Java keystore format, you'll need to convert the PEM certificates provided by Certbot in the next step.

JBoss/WildFly requires certificates in Java keystore format rather than the PEM format provided by Certbot. Convert the PEM certificates to PKCS#12 format, which is supported by modern JBoss/WildFly versions.

Create a PKCS#12 keystore from the PEM files:

sudo openssl pkcs12 -export \
  -out /opt/wildfly/standalone/configuration/keystore.p12 \
  -inkey /etc/letsencrypt/live/example.kms.hanzo.ai/privkey.pem \
  -in /etc/letsencrypt/live/example.kms.hanzo.ai/cert.pem \
  -certfile /etc/letsencrypt/live/example.kms.hanzo.ai/chain.pem \
  -passout pass:changeit

Set appropriate file permissions for security:

sudo chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore.p12
sudo chmod 600 /opt/wildfly/standalone/configuration/keystore.p12

You will need to configure JBoss/WildFly to use the new keystore. This process varies depending on your JBoss/WildFly version and security configuration (legacy security realms vs. Elytron subsystem). Refer to your JBoss/WildFly administration guide for specific SSL/TLS configuration steps.

Replace changeit with a strong password and adjust the WildFly installation path based on your environment. Modern WildFly versions support PKCS#12 keystores directly, while older versions may require conversion to JKS format using the keytool utility.

After configuring JBoss/WildFly SSL, verify that your certificate was issued correctly and the keystore was created properly.

Check that the certificate files were created by Certbot:

sudo ls -la /etc/letsencrypt/live/example.kms.hanzo.ai/

You should see files like:

• cert.pem (your certificate)
• chain.pem (certificate chain)
• fullchain.pem (certificate + chain)
• privkey.pem (private key)

Verify the PKCS#12 keystore was created:

sudo ls -la /opt/wildfly/standalone/configuration/keystore.p12

Test the keystore contents (optional):

sudo keytool -list -storetype PKCS12 -keystore /opt/wildfly/standalone/configuration/keystore.p12 -storepass changeit

Once you've configured JBoss/WildFly to use the keystore and restarted the service, you can verify HTTPS is working by accessing your application over SSL.

Unlike standard web servers, JBoss/WildFly certificate renewal requires additional steps because certificates must be converted to Java keystore format and the application server must be restarted to use the new certificates.

To test the renewal process without affecting your live certificates, run the following command:

sudo certbot renew --dry-run

This command simulates the full renewal process without modifying your active certificate. If the dry run succeeds, the renewal mechanism itself will work as expected.

For actual renewal, since JBoss/WildFly requires the standalone authenticator, you'll need to stop the server, perform the renewal, convert the certificate, and restart:

# Stop JBoss/WildFly
sudo systemctl stop wildfly

# Renew the certificate
sudo certbot renew --quiet

# Convert to keystore format
sudo openssl pkcs12 -export \
  -out /opt/wildfly/standalone/configuration/keystore.p12 \
  -inkey /etc/letsencrypt/live/example.kms.hanzo.ai/privkey.pem \
  -in /etc/letsencrypt/live/example.kms.hanzo.ai/cert.pem \
  -certfile /etc/letsencrypt/live/example.kms.hanzo.ai/chain.pem \
  -passout pass:changeit

# Set permissions
sudo chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore.p12
sudo chmod 600 /opt/wildfly/standalone/configuration/keystore.p12

# Start JBoss/WildFly
sudo systemctl start wildfly

To automate this process, you can create a renewal script. Create /etc/letsencrypt/renewal-hooks/deploy/jboss-renewal.sh:

#!/bin/bash
# JBoss/WildFly certificate renewal hook

DOMAIN="example.kms.hanzo.ai"
KEYSTORE_PATH="/opt/wildfly/standalone/configuration/keystore.p12"
KEYSTORE_PASSWORD="changeit"

# Convert certificate to keystore format
openssl pkcs12 -export \
  -out "$KEYSTORE_PATH" \
  -inkey "/etc/letsencrypt/live/$DOMAIN/privkey.pem" \
  -in "/etc/letsencrypt/live/$DOMAIN/cert.pem" \
  -certfile "/etc/letsencrypt/live/$DOMAIN/chain.pem" \
  -passout "pass:$KEYSTORE_PASSWORD"

# Set permissions
chown wildfly:wildfly "$KEYSTORE_PATH"
chmod 600 "$KEYSTORE_PATH"

# Restart WildFly to load new certificate
systemctl restart wildfly

Make the hook executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/jboss-renewal.sh

Certbot automatically renews certificates when they are within 30 days of expiration using its built-in systemd timer. The deploy hook above will run after each successful renewal, handling the keystore conversion and service restart automatically. Because JBoss/WildFly requires the standalone authenticator (which stops the service temporarily), plan for brief service interruptions during renewal.