Configuring Alternate KeyStores for SSL

Payara Micro Enterprise comes with Keystore files directly embedded within the JAR file.

These can be overridden using the following standard Java SSL system properties:

  • javax.net.ssl.trustStore

  • javax.net.ssl.keyStore

  • javax.net.ssl.trustStorePassword

  • javax.net.ssl.keyStorePassword

When packaging applications into an Uber Jar any keystores specified via system properties will be copied into the uberjar to replace the default internal keystores. However the uber jar will not contain the passwords and these must still be specified via the system properties.
asadmin commands like add-pkcs8 and add-to-keystore are NOT supported in pre-boot and post-boot commands with Payara Micro and Java SSL system properties need to be used to point to the correct stores.

Setting the Key-Pair at Runtime

Since Payara Server 4.1.2.182 and 5.182

The key-pair to use as Payara Micro’s SSL certificate can also be specified using the --sslCert command line option like this:

java -jar payara-micro.jar -sslCert my-custom-alias
The default key-pair name is s1as if not overriden via the command line switch.