While the underlying software may support this, it’s a use case that hasn’t yet been important enough to someone in the JMRI community to make sure the configuration works, is documented, etc.

If you want to provide TLS based communications to a JMRI server, I suggest using Apache or nginx as a reverse proxy configuration so that the TLS is handled by the software that clearly supports it, and let JMRI do its thing without having to muck about with TLS/certificates/etc. ? Your reverse proxy config would use HTTP (instead of HTTPS) to talk to JMRI, and only the reverse proxy server is accessible to the world at large, keeping JMRI istside your private network space.

david d zuhn