Where are the crt and key files?

SA

unread,

Jun 5, 2021, 4:13:50 AM6/5/21

to WildFly

Where is the .KEY and .CRT files located for the automatically renewed SSL via the built in Elytron LetsEncrypt wizard? When i used the wizard I had also set mydomain.com, www.mydomain.com, mail.mydomain.com and would prefer to reference this certificate in postfix/dovecot TLS configuration.

thanks in advance

Farah Juma

unread,

Jun 7, 2021, 11:07:41 AM6/7/21

to WildFly

The key and certificate are stored in the keystore that was used to obtain the certificate.

For example, if the following command was used to obtain the certificate, then the key and certificate would be stored in the file that backs the serverKS key-store under the alias server:

/subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server,domain-names=[www.example.org],certificate-authority-account=myLetsEncryptAccount,agree-to-terms-of-service)

If you need to export the certificate to a .crt file, the following command could be used:

/subsystem=elytron/key-store=serverKS:export-certificate(alias=server, path=YOUR_PATH)

SA

unread,

Jun 8, 2021, 5:20:20 PM6/8/21

to WildFly

Hello I tried this and get this following error:

{

"outcome" => "failed",

"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.R

untimeException: java.io.FileNotFoundException: /etc/ssl/certs/letsencrypt.crt (Per

mission denied)",

"rolled-back" => true

}

Farah Juma

unread,

Jun 9, 2021, 4:58:07 PM6/9/21

to WildFly

WildFly needs to be able to create the file specified in the `path` attribute.

The error indicates that WildFly doesn't have permission to create a file in the /etc/ssl/certs/letsencrypt directory.

SA

unread,

Jun 10, 2021, 6:06:55 PM6/10/21

to WildFly

Thanks. When I run the export command is it exporting a combined cert & key ? Or do I have to do something else for the key?

Farah Juma

unread,

Jun 11, 2021, 10:06:30 AM6/11/21

to SA, WildFly

The export-certificate command only exports the certificate. To export the private key, you'd need to use the keystore file directly. As an example, if you created your server key-store resource like this:

/subsystem=elytron/key-store=serverKS:add(path=server.keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS)

You'd then need to use tools like keytool and openssl to export the private key using the server.keystore.jks file. An example of how to export a private key from a JKS keystore can be found here:

https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks

--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/ZUjJOFZGpOU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/cb20463c-cc9b-428e-acb9-5f5246a012b5n%40googlegroups.com.

Reply all

Reply to author

Forward