3

We have several .cer files and import into the keystore with keytool command. Now we configure the Wildfly 8.x SSL with that keystore. When to start, we get the following errors:

 22:38:56,992 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service jboss.server.controller.management.security_realm.UndertowRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.UndertowRealm.key-manager: WFLYDM0083: The KeyStore /home/demo/mykeystore.jks does not contain any keys.
    at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)
    at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:145)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

Any help will be appreciated.

TT.
  • 15,774
  • 6
  • 47
  • 88
Li Bin
  • 1,701
  • 3
  • 12
  • 12
  • 1
    From the error message: *The KeyStore /home/demo/mykeystore.jks does not contain any key*. Did you check whether that file contains a key? – TT. Jan 14 '16 at 16:39
  • Could you pls help me in more detail? We don't generate any keypaire and only import the certification with keytool -import -trustcacert parameters. – Li Bin Jan 15 '16 at 01:38

2 Answers2

1

If you have signed certificate from CA, then keytool can't be used to import private key to keystore. You need to import private.key using openssl in PKCS12 format & then use keytool to generate keystore.

Assuming you have following files available

  • private-key.pem
  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • YOUR_DOMAIN_com.crt or STAR_YOUR_DOMAIN_com.crt (Signed Cert from CA)

Steps:

$cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > ssl-bundle.crt

$openssl pkcs12 -export -chain -in STAR_YOUR_DOMAIN_com.crt -inkey 
 private-key.pem -out keystore.p12 -name YOURDOMAIN -CAfile ssl-bundle.crt

Now you can use keytool to import

$keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias YOURDOMAIN
Rajeev Kumar
  • 61
  • 1
  • 6
0

Please read the link to the Wildfly-8 SSL setup guide. A similar question has been asked on StackOverflow, maybe that can guide you as well. Finally two off-site links here and here that may shed some light on the issue.

You did not include your configuration (the relevant parts) and what steps you took, so it's very hard to say anything other than what I said in my comment.

Basically what you should do:

  • Generate the key. Using keytool, OpenSSL, .... Example using keytool: $ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950

  • Configure WildFly. Example based on the previous:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"  redirect-port="443" />

  <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
    <ssl name="foo-ssl" password="secret" protocol="TLSv1" key-alias="foo" certificate-key-file="../standalone/configuration/foo.keystore" />
  </connector>
  ...
</subsystem>

The key generated in the first step should go to the directory configured by certificate-key-file="<path>".

TT.
  • 15,774
  • 6
  • 47
  • 88
  • Hi, TT, I believe our configuration for wildfly is fine. The only issue comes from the keystore. If we do "$ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950" first and then import the commercial cert, the https can work but a red cross will appear on the "https" letters in the browser address bar. If we do not use" keytool -genkey ...... " and directly import the commercial cert, the "not contain any keys " error will be found in the log file. – Li Bin Jan 15 '16 at 10:09
  • @LiBin Elaborate on "import the commercial cert"... what steps are you taking? – TT. Jan 15 '16 at 10:17
  • Yes. Specifically, we follow this one by one : https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/37/certificate-installation-java-based-web-servers-tomcat-using-keytool – Li Bin Jan 15 '16 at 12:10