Creating SSL Keys and Certificates Using OpenSSL

If you plan to use the Apache Portable Runtime for Tomcat/JBoss with SSL, you have to use the OpenSSL cryptographic library to create the server’s private key, and if needed, a self-signed certificate.

1) Download OpenSSL for Windows. Choose the zip file for “Binaries”. Unzip it to your Programs folder.

2) Create a configuration file (openssl.cnf) for OpenSSL and save it in the OpenSSL folder. You can use this sample.

3) Create a private key for the server. From a command prompt, change directory to the \bin folder of OpenSSL and run a command such as this:
openssl genrsa -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem 1024
The command will create a 1,024-bit RSA key and save it in the file rsa-private-key.pem

Verify the private key with the command:
openssl rsa -check -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem

4) Create a self-signed certificate valid for 10 years. Use a command such as this:
openssl req -config C:\Programs\openssl-0.9.8h-1-bin\openssl.cnf -new -x509 -nodes -sha1 -days 3650 -key C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem

You will be prompted for several responses. The most important one is the full DNS name of the server (eg: The -nodes argument causes the key to be not encrypted.

Once complete, verify the self-signed certificate with a command such as this:
openssl x509 -noout -subject -issuer -enddate -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem
In the output:
– the “subject” field’s value should be the full name of the server
– the “issuer” field’s value should also be the full name of the server since this is a self-signed certificate
– the “notAfter” field’s value will be the expiry date of the certificate (10 years from the date of its creation)

More OpenSSL commands available here.

5) Edit %JBOSS_HOME%\server\<jboss_configuration_name>\deploy\jboss-web.deployer\server.xml

6) Make sure that the APR Listener’s SSLEngine attribute is set to “on”

7) Uncomment the SSL HTTP/1.1 Connector

8) Change the protocol to org.apache.coyote.http11.Http11AprProtocol

9) Add two additional attributes to the Connector, SSLCertificateKeyFile and SSLCertificateFile (these paths would be different for you).

10) Save server.xml and re-start JBoss

11) Make sure that you can now connect to the LiveCycle AdminUI
The browser will complain about the fact this is a self-signed certificate.

Test connecting to the server using SSL from a command line with this command:
openssl s_client -showcerts -connect
Ctrl-C will terminate the connection and return you to the command prompt.

This entry was posted in Adobe LiveCycle ES, General Interest and tagged . Bookmark the permalink.

3 Responses to Creating SSL Keys and Certificates Using OpenSSL

  1. Mike says:

    Hi, I tried this way but my JBoss server can’t start: it says it can’t find the file .keystore: any idea?

  2. Mike says:

    Resolved installing JBoss Native 10

  3. shravan says:


    How to Generate RSA keypair? Need to use the public key and private key for login authentication. If Private key encrypt the data of password the public key should decrypt the password for the same. How to develop in C++ or MFC.

    Help me out, i am very thank full.