February 2012
« Jan   Mar »

How do I install SSL on Glassfish server

The following steps will help you to install SSL certificate on Glassfish web server which is a free community edition web sever from Sun Microsystems.

a. Generating private key using keytool

This step will create a private key pair stored in a file named “keystore.jks” encrypted using a password. Private key associate with certain information about the ssl issued for.

#keytool -keysize 2048 -genkey -alias s1as -keyalg RSA -dname "CN=*,O=Myorganization,L=city,S=state,C=country" -keypass changeit -storepass changeit -keystore keystore.jks

NB : Do not change the keystore passoword to anything other than “changeit”. Glassfish sever won’t take it if it changed. 🙂

dname : Is the collection of data required to fill out.
CN : Obeviously it should be “” Here I uses a wild card ssl certiificate which require a prefix “*.” infont of domain name.
O: You company name
L : locality
S : State
C: Country
keypass: password to de-crypt the private key file
storepass : This password requires to make any operations inside the key stored in the private key files
keystore : Path of keystore file to be saved.

You may verify the private key contents

#keytool -list -v -alias s1as -keystore keystore.jks

[root@ ssl]# keytool -list -v -alias s1as -keystore keystore.jks -storepass changeit
Alias name: s1as
Creation date: Feb 12, 2012
Entry type: keyEntry
Certificate chain length: 4
Owner: CN=*, OU=Domain Control Validated, O=*
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O=", Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 4b7ced4e2689be
Valid from: Sun Feb 12 03:24:00 EST 2012 until: Tue Mar 03 01:58:49 EST 2015
Certificate fingerprints:
         MD5:  A1:78:A0:17:E8:89:2E:3E:81:3A:25:EE
         SHA1: B0:65:99:15:53:4A:D0:49:D4:F2:6B:93:D4:E3:DC:75:CA
Owner: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O=", Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial number: 301

Now we have a private key and next we need to generate CSR (Certificate Signing Request) to be send to CA authority.

Here is the step to create CSR

#keytool -certreq -alias s1as -keystore keystore.jks -storepass changeit -keypass changeit -file

Now you have a new file “ and open it in vi, copy and paste it in to Godaddy CSR fill out form. You will get new SSL issued once after the domain owner verification process has completed.

Then download the SSL certificate for Tomcat web server from the Godaddy cert download manager.

Download and extract it the same folder where CSR generated. My file structure is as shown below.

[root@fc-web01LA ssl]# ls -lt
total 72
-rw-r--r-- 1 root root 8640 Feb 12 03:36 keystore.jks
-rw-r--r-- 1 root root 1935 Feb 12 03:30
-rw-r--r-- 1 root root 4604 Feb 12 03:30 gd_bundle.crt
-rw-r--r-- 1 root root 1789 Feb 12 03:30 gd_cross_intermediate.crt
-rw-r--r-- 1 root root 1749 Feb 12 03:30 gd_intermediate.crt
drwxr-xr-x 2 root root 4096 Feb 12 03:27
-rw-r--r-- 1 root root 1011 Feb 12 03:21
[root@fc-web01LA ssl]#

Now you have all files to install the SSL. I would recommend to copy your private key jks file before importing certificate in to it.

 #cp keystore.jks keystore.jks_backup

First you need to download “valicert_class2” root certificate from Godaddy repository

a. Import the root certificate into the glassfish key

#keytool -import -alias root -keystore keystore.jks -trustcacerts -file valicert_class2_root.crt

If you getting error messages something say like ” certificate is already exists in system wide CA” then you do not need to install this.

b. Installing secondary CA certificates

#keytool -import -alias cross -keystore keystore.jks -trustcacerts -file gd_cross_intermediate.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file gd_intermediate.crt

C. Installing domain certificate to keystore.

Pls note that server certificate could be installed only after the support ssl installed to the keystore file.

 keytool -import -alias s1as  -keystore keystore.jks -trustcacerts -file

NB: keep the same alias s1as to install SSL since it is hard coded glassfish in domain.xml file. It can be changed anyway if you wish to make another.

How do I view all the certificate imported to the keystore

 #[root@fc-web01LA ssl]# keytool -list -v -keystore keystore.jks  -storepass changeit

Check that domain certificate entry type is set as “keyEntry” on the above screen.

Exporting private key from a keystore file

I have a need of installing this SSL on Apache server as well. So I need to get back the private key from the keystore file. I found there is a third party site provides a tool to felicitate this requirement.

Download that tool from here

Generate the private key from keystore

java -jar keystore.jks JKS changeit s1as

Wallah !! now you have all the files required for Basic SSL install. 😉

Copy this keystore.jks file under your “config” inside the respective domains.Then restart the glassfish. 🙂

3 comments to How do I install SSL on Glassfish server

  • ai

    Hi Liju, how do I edit domain.xml to add entry to this?

    • You do not need to editing nothing in domain.xml file but ensure that https_connector configured to use the port 443.

      What this command will do is, it will append the CA certificate and domain certificate in the same file where private key is initial setup. All the details will in “keystore.jks” under domain “config” folder. These command will be append file …

  • jeff

    I installed Glassfish and added my certificates to server.keystore. I then went into Glassfish admin and for the listener set the nickname to apex and keystore to server.keystore. However, when I go to the web page via ssl, it states there is a problem with the certificate – I said to continue. When the next page comes up, it shows a certificate error. I click on the message and it shows a valid cert date of today through the next 10 years – no way. Where is this coming from. I did this by following the Glassfish v3.1.2 and SSL by the Java Dude weblog. Any ideas?

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>