0

is it possible to configure wildfly/undertow to acces to a X.509 certificate located in the windows certificate store instead of a file representing the keystore, like :

<server-identities> <ssl protocol="..."> <keystore path="name-of-the-certificate" relative-to="jboss-module-which-can-access-to-the-windows-certificate-store" keystore-password="..." alias="..." key-password="..." /> </ssl> </server-identities>

b. o.
  • 53
  • 8

2 Answers2

0

It really depends on JVM you are running on. You need to configure security provider to one that your jvm supports to work with windows keystore. In case of Oracle JDK / OpenJDK you can find list of providers here

example of configuration could be:

<keystore provider="SunMSCAPI" path="name-of-key-in-ms-keystore" .../>

but it really depends on jvm you are running and other factors.

Tomaz Cerar
  • 5,761
  • 25
  • 32
  • Would someone be willing to post a working standalone.xml snippet with SunMSCAPI? I have a config which is allowed by the CLI but doesn't generate any errors. – amhest Feb 09 '22 at 23:28
0

Since we were stuck with an older version of Wildfly (10) and this solution did not work as intended, we checked the source code for the different providers.

It will only change from the file provider to another provider, when the path is not set. Also, it only sends one parameter to the Java KeyStore component which does not allow the combined usage of SunMSCAPI and WINDOWS-MY (for example).

In the end, it works like this (keystore-password cannot be omitted):

<keystore provider="WINDOWS-MY" keystore-password="thisisnotneededbutrequired"/>

It will use the first certificate that has a private key in that storage.

P. Ekin
  • 15
  • 7