Installing Thawte Certificate on Glassfish 3.11 server for https traffic

This is a short instruction of how to install CA certificate into Glassfish 3.11 application server. There is some specifics for Thawte certificate, but procedure should work with CA certificate from different Certificate Authorities as well. Thawte does not provide specific instruction for Glassfish 3.1 and this guide is based on Oracle Glassfish 3.11 documentation and my own experience. Documentation can be found here: Administering JSSE Certificates


  1. Backup your current keystore and trust store
    cp cacerts.jks cacerts.jks.backup
    cp keystore.jks keystore.jks.backup
  2. Change master-password for the server. Stop the domain and issue:

    asadmin change-master-password -savemasterpassword 
  3. Delete the default self-signed certificate:
    keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>
  4. 3. Generate a new key pair for the application server:
    keytool -genkeypair -keyalg <key_alg> -keystore keystore.jks  -validity <val_days> -alias s1as

    where key_alg is the algorithm to be used for generating the key pair, for example RSA, and val_days is the number of days that the certificate should be considered valid. For example, 365.
    In addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias. Please leave alias as s1as – the default alias of Glassfish keystore.

    For HTTPS hostname verification, it is important to ensure that the name of the certificate (CN) matches the fully-qualified hostname of your site (fully-qualified domain name). If the names do not match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site.

  5. Generate a Certificate Signing Request (CSR):
    keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass <password>
  6. Backup the file and submit the CSR to a Certificate Authority -Thawte
  7. Download Twawte secondary and primary certificates according to this document
    I used ssl Webserver links to download Primary and secondary certificates
  8. Download your certificate when it is ready and Store the signed server certificate from the CA, including the markers —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, into a file such ass1as.cert. Download the CA certificate and any intermediate CA certificates and store them in local files.
  9. Import the CA certificate (if not already present) and any intermediate CA certificates (if not already present) indicated by the CA into the truststore cacerts.jks:
    keytool -import -v -trustcacerts -alias s1as -file Primary.crt -keystore cacerts.jks -storepass <password>
    keytool -import -v -trustcacerts -alias  Intermediate -file Secondary.crt -keystore cacerts.jks -storepass <password>
  10. rename thawte certificate to have p7b extention.
  11. Replace the original self-signed certificate with the certificate you obtained from the CA, as stored in a file such as s1as.p7b:
    keytool -import -v -trustcacerts -alias  s1as -file s1as.p7b -keystore keystore.jks -storepass <password>

    This will import the certificate using the same original alias s1as, keytool treats it as a command to replace the original certificate with the certificate obtained as a reply to a CSR.
    After running the command, you should see that the certificate s1as in the keystore is no longer the original self-signed certificate, but is now the response certificate from the CA.
  12. Test certificate in keystore:
    keytool -v -list -keystore keystore.jks
  13. start domain:
    asadmin start-domain domain1
  14. Navigate to secure port with the browser http://hostname:8181/

    I found that after enabling certificate, admin interface on port 4848 stop working, I got a blank screen after login
    Solution was to enable secure communications on port 4848 by issuing command:

    asadmin enable-secure-admin
    asadmin restart-domain domain1

1 Comment

  1. I configured SSL. When try to connect to the SSL enabled port, I see the following in the server.log file:
    [#|2012-05-07T08:40:17.453-0400|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured! Keystore was tampered with, or password was incorrect

    I presume this means that my master and key store passwords are different. What do I do to rectify this?


Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>