Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Set up automatic TLS certificates for your JBoss/WildFly application server using Infisical and Certbot. JBoss/WildFly requires certificates in Java keystore format.
This guide assumes you have an Application with ACME enrollment configured.

Prerequisites

  • A JBoss/WildFly server running on Linux with administrative access
  • An Application in Infisical with ACME enrollment configured
  • Network connectivity from your server to Infisical
  • Port 80 open for HTTP-01 validation
  • Java Development Kit (JDK) installed for keystore management

Guide

1

Get ACME Credentials from Infisical

In your Application, go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile with ACME enrollment, then click Reveal ACME EAB to view the credentials:
CredentialPurpose
ACME Directory URLThe URL Certbot uses to communicate with Infisical
EAB Key Identifier (KID)Identifies your ACME account
EAB SecretAuthenticates your ACME client
Keep your EAB credentials secure. They authenticate your ACME client with Infisical and are unique to each enrollment.
2

Install Certbot

Install Certbot on the server where JBoss/WildFly is running by following the official Certbot installation guide.The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version of Certbot.After installation, you can verify that Certbot has been installed correctly by running:
certbot --version
3

Request Certificate Using Certbot

Since JBoss/WildFly doesn’t have a native Certbot plugin, use the standalone authenticator to obtain certificates. Important: You must stop JBoss/WildFly before running this command as Certbot needs to bind to port 80 for the HTTP-01 challenge.Stop your JBoss/WildFly server:
sudo systemctl stop wildfly
# or for older JBoss versions
# sudo systemctl stop jboss
Run the following command to request a certificate from Infisical:
sudo certbot certonly \
  --standalone \
  --server "https://your-infisical-instance.com/api/v1/cert-manager/acme/applications/{application-id}/profiles/{profile-id}/directory" \
  --eab-kid "your-eab-key-identifier" \
  --eab-hmac-key "your-eab-secret" \
  -d example.infisical.com \
  --email admin@example.com \
  --agree-tos \
  --non-interactive
For guidance on each parameter:
  • certonly: Instructs Certbot to request a certificate without modifying your JBoss/WildFly configuration; this mode is recommended because JBoss/WildFly requires certificates in Java keystore format rather than the PEM format that Certbot provides.
  • --standalone: Uses Certbot’s standalone authenticator to solve the HTTP-01 challenge by starting a temporary web server on port 80.
  • --server: The Infisical ACME directory URL from Step 1. This instructs Certbot to communicate with Infisical’s ACME server instead of Let’s Encrypt.
  • --eab-kid: Your External Account Binding (EAB) Key Identifier from Step 1.
  • --eab-hmac-key: The EAB secret associated with the KID from Step 1.
  • -d: Specifies the domain name for which the certificate is being requested.
  • --email: The contact email for expiration notices and account recovery.
  • --agree-tos: Accepts the ACME server’s Terms of Service.
  • --non-interactive: Runs Certbot without prompting for user input (recommended for automation).
The Certbot command generates a private key on your server, creates a Certificate Signing Request (CSR) using that key, and sends the CSR to Infisical for certificate issuance. Certbot stores the private key and resulting leaf certificate and full certificate chain in /etc/letsencrypt/live/{domain-name}/.Because JBoss/WildFly requires certificates in Java keystore format, you’ll need to convert the PEM certificates provided by Certbot in the next step.
4

Convert Certificate to Java Keystore

JBoss/WildFly requires certificates in Java keystore format rather than the PEM format provided by Certbot. Convert the PEM certificates to PKCS#12 format, which is supported by modern JBoss/WildFly versions.Create a PKCS#12 keystore from the PEM files:
sudo openssl pkcs12 -export \
  -out /opt/wildfly/standalone/configuration/keystore.p12 \
  -inkey /etc/letsencrypt/live/example.infisical.com/privkey.pem \
  -in /etc/letsencrypt/live/example.infisical.com/cert.pem \
  -certfile /etc/letsencrypt/live/example.infisical.com/chain.pem \
  -passout pass:changeit
Set appropriate file permissions for security:
sudo chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore.p12
sudo chmod 600 /opt/wildfly/standalone/configuration/keystore.p12
You will need to configure JBoss/WildFly to use the new keystore. This process varies depending on your JBoss/WildFly version and security configuration (legacy security realms vs. Elytron subsystem). Refer to your JBoss/WildFly administration guide for specific SSL/TLS configuration steps.
Replace changeit with a strong password and adjust the WildFly installation path based on your environment. Modern WildFly versions support PKCS#12 keystores directly, while older versions may require conversion to JKS format using the keytool utility.
5

Verify Certificate Installation

After configuring JBoss/WildFly SSL, verify that your certificate was issued correctly and the keystore was created properly.Check that the certificate files were created by Certbot:
sudo ls -la /etc/letsencrypt/live/example.infisical.com/
You should see files like:
  • cert.pem (your certificate)
  • chain.pem (certificate chain)
  • fullchain.pem (certificate + chain)
  • privkey.pem (private key)
Verify the PKCS#12 keystore was created:
sudo ls -la /opt/wildfly/standalone/configuration/keystore.p12
Test the keystore contents (optional):
sudo keytool -list -storetype PKCS12 -keystore /opt/wildfly/standalone/configuration/keystore.p12 -storepass changeit
Once you’ve configured JBoss/WildFly to use the keystore and restarted the service, you can verify HTTPS is working by accessing your application over SSL.
6

Renew Your Certificate with Certbot

Unlike standard web servers, JBoss/WildFly certificate renewal requires additional steps because certificates must be converted to Java keystore format and the application server must be restarted to use the new certificates.To test the renewal process without affecting your live certificates, run the following command:
sudo certbot renew --dry-run
This command simulates the full renewal process without modifying your active certificate. If the dry run succeeds, the renewal mechanism itself will work as expected.For actual renewal, since JBoss/WildFly requires the standalone authenticator, you’ll need to stop the server, perform the renewal, convert the certificate, and restart:
# Stop JBoss/WildFly
sudo systemctl stop wildfly

# Renew the certificate
sudo certbot renew --quiet

# Convert to keystore format
sudo openssl pkcs12 -export \
  -out /opt/wildfly/standalone/configuration/keystore.p12 \
  -inkey /etc/letsencrypt/live/example.infisical.com/privkey.pem \
  -in /etc/letsencrypt/live/example.infisical.com/cert.pem \
  -certfile /etc/letsencrypt/live/example.infisical.com/chain.pem \
  -passout pass:changeit

# Set permissions
sudo chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore.p12
sudo chmod 600 /opt/wildfly/standalone/configuration/keystore.p12

# Start JBoss/WildFly
sudo systemctl start wildfly
To automate this process, you can create a renewal script. Create /etc/letsencrypt/renewal-hooks/deploy/jboss-renewal.sh:
#!/bin/bash
# JBoss/WildFly certificate renewal hook

DOMAIN="example.infisical.com"
KEYSTORE_PATH="/opt/wildfly/standalone/configuration/keystore.p12"
KEYSTORE_PASSWORD="changeit"

# Convert certificate to keystore format
openssl pkcs12 -export \
  -out "$KEYSTORE_PATH" \
  -inkey "/etc/letsencrypt/live/$DOMAIN/privkey.pem" \
  -in "/etc/letsencrypt/live/$DOMAIN/cert.pem" \
  -certfile "/etc/letsencrypt/live/$DOMAIN/chain.pem" \
  -passout "pass:$KEYSTORE_PASSWORD"

# Set permissions
chown wildfly:wildfly "$KEYSTORE_PATH"
chmod 600 "$KEYSTORE_PATH"

# Restart WildFly to load new certificate
systemctl restart wildfly
Make the hook executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/jboss-renewal.sh
Certbot automatically renews certificates when they are within 30 days of expiration using its built-in systemd timer. The deploy hook above will run after each successful renewal, handling the keystore conversion and service restart automatically. Because JBoss/WildFly requires the standalone authenticator (which stops the service temporarily), plan for brief service interruptions during renewal.

What’s Next?

Nginx with Certbot

Set up ACME for Nginx web servers.

Certificate Syncs

Push certificates to cloud destinations.

Alerting

Get notified when certificates are about to expire.

ACME Enrollment

Learn more about ACME enrollment configuration.