This is a short instruction of how to install CA certificate into Glassfish 3.11 application server. There is some specifics for Thawte certificate, but procedure should work with CA certificate from different Certificate Authorities as well. Thawte does not provide specific instruction for Glassfish 3.1 and this guide is based on Oracle Glassfish 3.11 documentation and my own experience. Documentation can be found here: Administering JSSE Certificates
- Backup your current keystore and trust store
cp cacerts.jks cacerts.jks.backup cp keystore.jks keystore.jks.backup
- Change master-password for the server. Stop the domain and issue:
asadmin change-master-password -savemasterpassword
- Delete the default self-signed certificate:
keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>
- 3. Generate a new key pair for the application server:
keytool -genkeypair -keyalg <key_alg> -keystore keystore.jks -validity <val_days> -alias s1as
where key_alg is the algorithm to be used for generating the key pair, for example RSA, and val_days is the number of days that the certificate should be considered valid. For example, 365.
In addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias. Please leave alias as s1as – the default alias of Glassfish keystore.
For HTTPS hostname verification, it is important to ensure that the name of the certificate (CN) matches the fully-qualified hostname of your site (fully-qualified domain name). If the names do not match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site.
- Generate a Certificate Signing Request (CSR):
keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass <password>
- Backup the file and submit the CSR to a Certificate Authority -Thawte
- Download Twawte secondary and primary certificates according to this document
I used ssl Webserver links to download Primary and secondary certificates
- Download your certificate when it is ready and Store the signed server certificate from the CA, including the markers —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, into a file such ass1as.cert. Download the CA certificate and any intermediate CA certificates and store them in local files.
- Import the CA certificate (if not already present) and any intermediate CA certificates (if not already present) indicated by the CA into the truststore cacerts.jks:
keytool -import -v -trustcacerts -alias s1as -file Primary.crt -keystore cacerts.jks -storepass <password> keytool -import -v -trustcacerts -alias Intermediate -file Secondary.crt -keystore cacerts.jks -storepass <password>
- rename thawte certificate to have p7b extention.
- Replace the original self-signed certificate with the certificate you obtained from the CA, as stored in a file such as s1as.p7b:
keytool -import -v -trustcacerts -alias s1as -file s1as.p7b -keystore keystore.jks -storepass <password>
This will import the certificate using the same original alias s1as, keytool treats it as a command to replace the original certificate with the certificate obtained as a reply to a CSR.
After running the command, you should see that the certificate s1as in the keystore is no longer the original self-signed certificate, but is now the response certificate from the CA.
- Test certificate in keystore:
keytool -v -list -keystore keystore.jks
- start domain:
asadmin start-domain domain1
Navigate to secure port with the browser http://hostname:8181/
I found that after enabling certificate, admin interface on port 4848 stop working, I got a blank screen after login
Solution was to enable secure communications on port 4848 by issuing command:
asadmin enable-secure-admin asadmin restart-domain domain1