Darran Lofthouse created WFCORE-5238: ---------------------------------------- Summary: The Elytron applicationKS uses a different type to the legacy realm. Key: WFCORE-5238 URL: https://issues.redhat.com/browse/WFCORE-5238 Project: WildFly Core Issue Type: Bug Components: Security Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 14.0.0.Beta5 The legacy security realm automatically can generate a JKS keystore based on the following configuration: {code:java} <security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> </ssl> </server-identities> <authentication> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> {code} The Elytron subsystem can also generate one but is configured to use PKCS#12: {code:java} <tls> <key-stores> <key-store name="applicationKS"> <credential-reference clear-text="password"/> <implementation type="PKCS12"/> <file path="application.keystore" relative-to="jboss.server.config.dir"/> </key-store> </key-stores> <key-managers> <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost"> <credential-reference clear-text="password"/> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context name="applicationSSC" key-manager="applicationKM"/> </server-ssl-contexts> </tls> {code} PKCS#12 would be the better option for the future but as this KeyStore definition is potentially reusing an existing generated KeyStore we will need to drop back to JKS.   -- This message was sent by Atlassian Jira (v8.13.1#813001)