Friday, February 8, 2013

Using OpenSSL certificates in JBOSS 7

Recently I got some problem moving certificates from Amozon ELB to JBOSS server. I had signed by certificate authority certificate and it was successfully used on AWS ELB in front of my JBOSS server. But due to some restrictions on ELB and SSL(there is no "force" https mode, not passwords on private key, etc) I had to move SSL to JBOSS 7. I realized that JBOSS as a java server is using JKS way to store certificates and what I didn't want to do is to re-create private key and CSR(s)(because it's additional expenses). Here are ways how that can be solved.

Use OpenSSL PEM certificates directly

Actually JBOSS 7 can directly works with OpenSSL PEM certificates but... only in case native IO treading is enabled for JBOSS web module(native="true" under subsystem xmlns="urn:jboss:domain:web:1.1). Here is example what configuration is needed to make it work: I was not able to find any information and tests proving jboss native threading is better or worse than default. I was doing some testing and my tests shows that there is not actually major difference in latency and CPU usage when comparing those modes. But anyway there are probably some case when default threading could be better than native and if it's your case then you have to make some changes in ssl configuration. If jboss web module is running in standard(not native) mode then you will have to use JKS instead of OpenSSL certificates. Of course you can do that but what to do if you(company) already have signed certificate in OpenSSL PEM format? The you should to convert it into PKCS12 keystore or JKS (both supported by JBOSS ).

Convert PEM certificates/private keys to PKCS12 keystore format using OpenSSL

Note than you should put some password when prompted. This is important when converting into JKS . If you have also CA root certificate then your command should looks like : If you have also some intermediate certificates as well you need to merge(just concatenate) with CA root into one file.Your export command will looks like following : So you have keystore.p12 PKCS12 keystore file which is actually is ready to be used in Jboss. This is what you can end up with. But if you still wan't to convert it into JKS continue reading.

Convert PKCS12 keystore to JKS using keytool.

Note that created JKS keystore should have the same password as PKCS12(otherwise Jboss wan't be able to access private key which is protected by that password). JBOSS configuration :