Adam Bishop

That did the trick, with a little modification. Looks like there's an additional subsystem been added, not sure if it's new in 20 or a less recent releases - commenting it out in addition to the infinispan module and cache definitions was required: <subsystem xmlns="urn:jboss:domain:distributable-web:2.0" default-session-management="default" default-single-sign-on-management="default"> <infinispan-session-management name="default" cache-container="web" granularity="SESSION"> <primary-owner-affinity/>...

Perfect, not sure how I missed that - must have mistyped something when grepping for 'rsa'. Incidentally, Wildfly 20 seems to work fine - couple of differences: AJP is enabled by default, just needs a listener, something like: /subsystem=undertow/server=default-server/ajp-listener=myListener:add(socket-binding=ajp, scheme=http, enabled=true) It's no longer possible to disable some of the default remoting configuration: /subsystem=infinispan/cache-container=web:remove() { "outcome" => "failed", "failure-description"...

I've set keytype=ECDSA and subtype=P-384 in install.properties. I've inspected the resulting keys and we get an ECDSA root keypair as expected, then tomcat and superadmin keypairs with a SHA256withECDSA signature as expected, but with an RSA2048 key instead. I realise it is technically possible for an RSA certificate to have an ECDSA signature, but I'd prefer to keep things simple documentation wise. Is it possible to change the algorithm used to generate the tomcat/superadmin keys? This is a completely...