Adobe Experience Manager Sites & More

That is correct, it doesn't change.

Honestly I don't care much about the port, it was meant as a simple test.

However I do care about the key alias. And most importantly, after a lot of testing it seems to me that aem completely ignores the supplied key alias and just picks one from the keystore. The only "solution" I've found to this is to delete the key that is currently being picked so that it will pick another. I believe this is usually not a problem, because keystores tend to be local and have a single key, but since I'm integrating with an HSM it has many keys which I obviously can't arbitrarily delete.

I believe this to be a very serious bug. Is this the proper channel to report it?

Note: parameters as the keystore path & keystore password do work as expected and are reloaded immediately after being modified.

That is strange. I've played with this 2 months back on 6.1 with no issues. Can you check if there is a random node created under this path /system/sling/installer/jcr/pauseInstallation? If this path is clean, can you try configuring ssl from the console "Apache Felix Jetty Based Http Service"

Thanks a lot for your suggestion. I tried it and here are my findings:

- Nothing under /system/sling/installer/jcr/pauseInstallation

- Changing using it through the OSGI console as suggested did work for the port and it changed and worked even without a restart.

- As I've read elsewhere changing the values through the OSGI console destroyed my properties structure and generated a single entry (/apps/system/config.author/org.apache.felix.http.config) with content like:

# Configuration created by Apache Sling JCR Installer
org.apache.felix.http.session.timeout=I"0"
org.apache.felix.https.keystore.password="123456"

etc...

Not a problem in this case, but something to be mindful about.

- And most importantly it generated a key for "org.apache.felix.https.keystore.key.password", BUT not for "org.apache.felix.https.keystore.key". To me this suggests that AEM is simply iterating the keystore for a key that it can access and once it founds one it just uses it. The alias (as specified in https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html & felix documentation) is simply ignored. My testing matches this assumption. Can anyone at adobe confirm this? 

Just finished some extra testing.

My conclusion is that the HTTPS configuration works as long as there's only one key in the keystore. Just adding an extra keys breaks it.

BTW this is AEM 6.1

THis is good information - can you post the steps that you did so community can try and reproduce. 

Yes, it's actually very simple.

First configure HTTPS following this: https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html

After it works just add an extra key to the keystore, for example: 

$ keytool -genkeypair -keyalg RSA -validity 3650 -alias test111.com -keystore ssl/aem.keystore  -keypass 111111 -storepass 123456 -dname "CN=test111.com, OU=Group Name, O=Company Name,L=City Name, S=State, C=AU"

Restart AEM.

Then it doesn't work anymore.

I am checking into this. Its either a product bug or a doc bug. If only 1 key is suppose to be used - then the docs should state that. Thank you for your feedback.