Can not find keys in keystore when configuring wildfly

Question

We have several .cer files and import into the keystore with keytool command. Now we configure the Wildfly 8.x SSL with that keystore. When to start, we get the following errors:

 22:38:56,992 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service jboss.server.controller.management.security_realm.UndertowRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.UndertowRealm.key-manager: WFLYDM0083: The KeyStore /home/demo/mykeystore.jks does not contain any keys.
    at org.jboss.as.domain.management.security.FileKeystore.assertContainsKey(FileKeystore.java:169)
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:120)
    at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:145)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

Any help will be appreciated.

Answer 1

If you have signed certificate from CA, then keytool can't be used to import private key to keystore. You need to import private.key using openssl in PKCS12 format & then use keytool to generate keystore.

Assuming you have following files available

• private-key.pem
• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt
• YOUR_DOMAIN_com.crt or STAR_YOUR_DOMAIN_com.crt (Signed Cert from CA)

Steps:

$cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > ssl-bundle.crt

$openssl pkcs12 -export -chain -in STAR_YOUR_DOMAIN_com.crt -inkey 
 private-key.pem -out keystore.p12 -name YOURDOMAIN -CAfile ssl-bundle.crt

Now you can use keytool to import

$keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias YOURDOMAIN

Answer 2

Please read the link to the Wildfly-8 SSL setup guide. A similar question has been asked on StackOverflow, maybe that can guide you as well. Finally two off-site links here and here that may shed some light on the issue.

You did not include your configuration (the relevant parts) and what steps you took, so it's very hard to say anything other than what I said in my comment.

Basically what you should do:

• Generate the key. Using keytool, OpenSSL, .... Example using keytool: $ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950

• Configure WildFly. Example based on the previous:

---

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"  redirect-port="443" />

  <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
    <ssl name="foo-ssl" password="secret" protocol="TLSv1" key-alias="foo" certificate-key-file="../standalone/configuration/foo.keystore" />
  </connector>
  ...
</subsystem>

The key generated in the first step should go to the directory configured by certificate-key-file="<path>".