CA Identity Suite Virtual Appliance replacing self-signed certs

Document ID : KB000093224
Last Modified Date : 27/04/2018
Show Technical Document Details
Issue:
We would like to replace the self-signed certificates for Identity Manager on the Virtual Appliance. When replacing the certificate and private key in the suggested folder 

/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/ 

we receive the following error

2018-02-02 19:30:06,222 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Fai 
led to start service jboss.server.controller.management.security_realm.WebSslRealm.key-manager: or 
g.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.WebSslRealm.key-manager: JBAS015229: Unable to start service 
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154) 
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119) 
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] 
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_71] 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_71] 
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_71] 
Caused by: java.io.IOException: Invalid keystore format 
Environment:
CA Identity Suite 14.1 CP2 (minimum)
Cause:
The problem is that the Virtual Appliance is expecting a java keystore instead of a certificate and a private key placed in the location of the OOTB self signed certs.
Resolution:
To resolve this, you need to import the certificate and the private key into a java keystore. Once this is done place this inside the following location /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/ and restart the service. On restart this time you should notice the service will start without error.

The service is looking for a JKS once this is created with the signed cert and the private key you should not experience any issues.