Develop Reference

How to correctly remove / uninstall a cert from Windows machine? Only .dev domain is having problems

I did followed this site to created an unvalidated cert. Now what happened here is that cert is issued to "elliot.dev" and I tried to go to "mmc.exe" and "Disabled all purposed for this cert", and restarted my machine but it is still not work.
When I install that cert, I imported into
Local Machine >> Trusted Root Certification Authorities
and it caused my customized XAMPP local domain "elliot.dev" not working and no longer accessible to http://elliot.dev . Browser redirected me to https://elliot.dev and it is inaccessible as well because of untrust cert SSL error.
How should I completely remove it? Thanks.

After few hours of searching, found that this is because of the .dev domain is force redirected to https by default for most browser Chrome and Firefox. It is legit .dev gTLD and preloaded HSTS for most browsers.
Source:
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
https://stackoverflow.com/a/47726962/5802100

To remove a installed certificate, open MMC.exe and find your imported certificate(should be in Certificates/Trusted Root Certification Authorities/Certificates), right click on it, and select Delete.
You are redirected to https://* because you enabled it in your virtual host configurations:
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on # <--- This line.
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>

Laragon use https on local network

I'm lost with all informations about ssl, https....
Here the story : I build a laravel website at my work hosted on our windows server with laragon. Every computer go to this site with ip of the serveur, i.e. http://192.17.10.168/aurora/public/login
It works only with local computer and we want to keep that privacy (no need outside access).
But now I want to use tools that use https : http/2, progressive app...
How can I use https with that config ?
I succefully add openssl certificat to my aurora.test on serveur but http2 doesn't work, my config :
<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot "${DOCROOT}/aurora2/public"
ServerName aurora.test:443
SSLEngine on
SSLCertificateKeyFile C:/laragon/ssl/app.dev.key
SSLCertificateFile C:/laragon/ssl/app.dev.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
I enable module on apache config.
How others local computers can access to my https site with aurora .test ?
Thank for your help !

Windows Apache SSL Configuration not loading page

I am trying to configure Apache SSL on Windows for the first time and I am having some configuration nightmare.
Here is how I generated a crt and key file for a wildcard certificate:
copied openssl.cnf file to Apache24/bin directory and issued the following commands:
openssl req -config openssl.cnf -new -out mycooldomain.csr -keyout mycooldomain.pem
For the common name, I entered *.mycooldomain.com
This generated me the .pem file
Then next command to give me .key file
openssl rsa -in mycooldomain.pem -out mycooldomain.key
The following command generates the .crt file
openssl x509 -sha512 -in mycooldomain.csr -out mycooldomain.crt -req -signkey mycooldomain.key -days 3650
Now I enabled mod_ssl in httpd.conf by removing # in front of it
LoadModule ssl_module modules/mod_ssl.so
I double clicked on crt file to install it in Trusted Root CA and it installed successfully
Here is my virtualhost configurations:
<VirtualHost 127.0.0.1:443>
ServerAdmin name#mycooldomain.org
DocumentRoot "C:\htdocs\coolsites\upgrade"
ServerName upgrade.mycooldomain.com:443
ErrorLog "C:\Apache24\logs\upgrade-mycooldomain-com-error_log"
CustomLog "C:\Apache24\logs\upgrade-mycooldomain-com-access_log" common
SSLEngine on
SSLCertificateFile "C:/Apache24/conf/certificates/mycooldomain.crt"
SSLCertificateKeyFile "C:/Apache24/conf/certificates/mycooldomain.key"
<Directory "C:\htdocs\coolsites\upgrade">
RewriteEngine On
Allow From All
</Directory>
</VirtualHost>
restarted the apache service afterwords
I also checked the firewall for port 443. Since it is local server, Apache is allowed on all tcp and udp ports.
When I try to load the site https://upgrade.mycooldomain.com it just say that it can't load the siite
Any help regarding this is appreciated.
Thanks

Installing HTTPS for my web app in DigitalOcean, `https://XXX.XXX.XXX.XXX` is okay but not with, `https://XXX.XXX.XXX.XXX:1234`

I followed these tutorials.
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04, without the step 5.
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04, without the, "(Recommended) Modify the Unencrypted Virtual Host File to Redirect to HTTPS" part.
I put ServerName server_domain_or_IP with http://XXX.XXX.XXX.XXX:1234.
What I have now.
http://XXX.XXX.XXX.XXX:1234 goes to my web application. I need SSL to access webcam.
https://XXX.XXX.XXX.XXX goes to Apache default screen after warning, which is expected.
https://XXX.XXX.XXX.XXX:1234 goes Chrome error page of This site can’t provide a secure connection.
I need to have access to https://XXX.XXX.XXX.XXX:1234 what went wrong and what should I do?
EDIT, More details.
Fresh install with SSH attached into the droplet (Ubuntu LTS 16.04).
ssh root#xxx:xxx:xxx:xxx.
adduser notalentgeek.
usermod -aG sudo notalentgeek.
su notalentgeek.
Now I am on the newly created user notalentgeek.
Move into "How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 16.04" tutorial.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt.
In the form I put everything as "asd" (any arbitrary thing in my mind, are these matters). Except for "Common Name (e.g. server FQDN or YOUR name) []:" is to ip of xxx:xxx:xxx:xxx.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 and wait for a while.
sudo nano /etc/apache2/conf-available/ssl-params.conf.
Copy paste the settings from the tutorial (StackOverflow code formatting does not working here!).
from https://cipherli.st/
and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Disable preloading HSTS for now. You can use the commented out header line that includes
the "preload" directive if you understand the implications.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak to create backup.
sudo nano /etc/apache2/sites-available/default-ssl.conf.
ServerAdmin asd#asd.com
ServerName xxx:xxx:xxx:xxx
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
sudo ufw app list, adjusting fire wall. I just put whatever codes they put there.
sudo ufw status.
sudo ufw allow 'Apache Full'.
sudo ufw delete allow 'Apache'.
sudo ufw status.
sudo a2enmod ssl.
sudo a2enmod headers.
sudo a2ensite default-ssl.
sudo a2enconf ssl-params.
sudo apache2ctl configtest, there is no warning appeared in my case. But, in the tutorial it may have warning. This command returns, Syntax OK.
Testing server as I mentioned before, https://xxx.xxx.xxx.xxx works, but https://xxx.xxx.xxx.xxx:5000 does not (5000 is my port for Flask.).
sudo nano /etc/apache2/sites-available/000-default.conf
Add Redirect permanent "/" "https://xxx.xxx.xxx.xxx:5000/".
sudo apache2ctl configtest results in Syntax OK.
sudo systemctl restart apache2.
This the launch from my Flask App.
WebSocket transport not available. Install eventlet or gevent and gevent-websocket for improved performance.
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
Going to http://xxx.xxx.xxx.xxx:5000/, where xxx.xxx.xxx.xxx is the IP of DigitalOcean Droplet refer to my web app successfully. But web app needs access to webcam and microphone.
Following other tutorial, https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps.
sudo apt-get install libapache2-mod-wsgi python-dev.
sudo a2enmod wsgi.
cd /var/www.
sudo mkdir FlaskApp.
cd FlaskApp.
git clone https://github.com/notalentgeek/my_app --depth 1.
cd my_app.
Installing, pip3 and virtualenv. Running from http is still fine!
sudo nano /etc/apache2/sites-available/FlaskApp.conf (formatting also does not working!).
ServerName https://xxx.xxx.xxx.xxx:5000/
ServerAdmin asd#asd.com
WSGIScriptAlias / /var/www/FlaskApp/flaskapp.wsgi
Order allow,deny
Allow from all
Alias /static /var/www/FlaskApp/my_app/static
Order allow,deny
Allow from all
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
sudo a2ensite FlaskApp.
cd /var/www/FlaskApp.
sudo nano flaskapp.wsgi.
sudo service apache2 restart, the tutorial says that would be a warning message. but I did not get any.
sudo python3 -B my_app.py results in these.
WebSocket transport not available. Install eventlet or gevent and gevent-websocket for improved performance.
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
In http all work but not https.
Some of the codes has ## make the indent-to-code in StackOverflow does not working. Here is the raw from PasteBin, https://pastebin.com/iShsHjCX.

This thing solved me, can you add HTTPS functionality to a python flask web server?. It is more in the Flask side rather than anything else.

Setting up SSL in domain mode mod_cluster JBOSS AS7

I am trying to setup SSL in Jboss domain mode cluster following instructions at domain mode cluster.
Now I need to run these cluster nodes in SSL. I have added following configuration in domain.xml that allows me to run each cluster in domain mode on SSL. If I have two nodes running with offset of 100 and 200 then I can access application separately at 8543 and 8643 on https as default port for jboss SSL is 8443.
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="ssl" password="mypassword" certificate-key-file="<path to truststore file>/jbossHttps.keystore" protocol="TLSv1" verify-client="true"/>
</connector>
There are few suggestions related to adding system properties and I have done that too.
<system-properties>
<property name="javax.net.ssl.trustStore" value="<path to truststore file>"/>
</system-properties>
Problem is I am looking to run my application over HTTPS using mod_cluster so as to access application as https://myapplication/
What additional configuration changes I am missing here?

Finally after hours of searching there is no single document/source of information available. Finally following detailed steps helped configure mod_cluster + ssl + jboss7.x
Generate server certificate
Note: If you already have certificate created then this section can be ignored.
Generate Private Key on the Server Running Apache + mod_ssl
First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.
[root#s4-app-dev jbossuser]# mkdir /etc/httpd/conf/certs
[root#s4-app-dev jbossuser]# openssl genrsa -des3 -out www.xyz.com.key 1024
Generate a Certificate Signing Request (CSR)
Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.
[root#s4-app-dev jbossuser]# openssl req -new -key www.xyz.com.key -out www.xyz.com.csr
Generate a Self-Signed SSL Certificate
For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.
[root#s4-app-dev jbossuser]# openssl x509 -req -days 365 -in www.xyz.com.csr -signkey www.xyz.com.key -out www.xyz.com.crt
Apache SSL configuration
If you already have mod_cluster configured to listen to port 80 then remove that virtual host entry and make following configuration. Create ssl.conf as following.
[root#s4-app-dev jbossuser]# vi /etc/httpd/conf.d/ssl.conf
This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 1.1.1.1:443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/conf/certs/www.xyz.com.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/certs/www.xyz.com.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so
NameVirtualHost 1.1.1.1:443
MemManagerFile /var/cache/httpd
<VirtualHost 1.1.1.1:443>
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Allow from all
</Location>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ManagerBalancerName testcluster
AdvertiseFrequency 5
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/certs/www.xyz.com.crt
SSLCertificateKeyFile /etc/httpd/conf/certs/www.xyz.com.key
SSLCertificateChainFile /etc/httpd/conf/certs/www.xyz.com.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/html">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Once these changes have been made you should be able to reach to Apache over SSL [https://1.1.1.1/][1]
Upgrade Jboss for mod_cluster and SSL
The Jboss 7.1.1.Final doesn’t work with mod_cluster and SSL configuration. It basically ignores the certificate configuration to SSL of mod_cluster. We need to upgrade to higher Jboss such as
Download higher source tag from Git https://github.com/jbossas/jboss-as/tree/7.1.3.Final
If you already have Maven 3 installed
$ mvn install
If you don't have Maven 3
$ ./build.sh
Creating self-signed certificates using KeyTool
Generating the key pair into a keystore (JKS), for RSA:
[root#s4-app-dev jbossuser]# keytool -genkey -keyalg RSA -keysize 2048 -keystore xyz_keystore.jks -alias xyz
Import server certificate into keystore
[root#s4-app-dev jbossuser]# keytool -import -alias xyz -file /etc/httpd/conf/certs/www.xyz.com.crt -storetype JKS -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jks
To list keystore content
[root#s4-app-dev jbossuser]# keytool -list -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jks
Jboss mod_cluster ssl configuration
In domain.xml add system properties for truststore and password.
<property name="javax.net.ssl.trustStore" value="<path to keystore>/keystore/xyz_keystore.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="xyzmanish"/>
Modify mod_cluster subsystem to now listen to 444 and use keystore that we configured.
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="ajp" proxy-list="1.1.1.1:443" advertise-security-key="xyzmanish">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
<!-- SSL/TLS configuration for mod_cluster advertise-security-key -->
<ssl password="xyzmanish" key-alias="xyz" ca-certificate-file="<path to key store>/keystore/xyz_keystore.jks" certificate-key-file="<path to key store>/keystore/xyz_keystore.jks" cipher-suite="ALL" protocol="TLSv1"/>
</mod-cluster-config>
</subsystem>>
Once you make this changes restart the JBOSS server and try to access your application via Apache over SSL.