Part of solution for: https://issues.jboss.org/browse/WFLY-9155.

Server has to be able to start after such migration -> with empty keystore password.

—
In WildFly there is required to set keystore-password for truststore even though at least in case of JKS, it is possible to read public certificates even without providing the password.

Does it really make sense to require it?

In regards to migration operation, wouldn't it make sense in case of undefined ca-certificate-password to provide the security-realm truststore configuration default value "changeit" instead of failing the whole migrate operation?