SSL certficate configuration in Glassfish server - DigiCert CA

SSL certficate configuration in Glassfish server - DigiCert CA

Before we start please keep in mind following default configuration of glassfish:

By default, the keystore (keystore.jks) and truststore (cacerts.jks) for a domain are created in the domain-dir/config directory when you create the domain. The domain creation process creates a primary (private) key and a self-signed certificate for the DAS, and a separate private key and self-signed certificate for remote instances.

Reference link - https://docs.oracle.com/cd/E18930_01/html/821-2432/gkyba.html 

So this self -signed certificate must replaced with your own keystore and rename to "keystore.jks", otherwise it will remain same as your self-signed certificate of Glassfish.

OK, lets see the steps. in this example we are using public certificate generated by Digicert - https://www.digicert.com/

1) Create a directory 

 mkdir certificate_dir  and navigate to it - cd certificate_dir 

2) Create yourown keystore 

keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048

where youralias can be your own naming which will be used as SSL configuration of http-listerner2 of glassfish.

yourkeystorename.jks can be <yourown_name>.jks , but it must be renamed to keystore.jks when you copy the file to  domain/config directory of glassfish.

You will be prompted to enter keystore password. The default password that comes with glassfish is "changeit" except you have changed yours. Afterwards, you will be prompted for the following:

Ensure the details filled in here correspond 


What is your first and last name? = Your Domain Name (e.g. www.comodo.com)
What is the name of your organizational unit? = Your Department (e.g. IT)
What is the name of your organization? = Your Organization (e.g. Comodo CA Ltd)
What is the name of your City or Locality? = Your City (e.g. Clifton)
What is the name of your State or Province? = Your State (e.g. New Jersey)
What is the two-letter country code for this unit? = Your Country Code (e.g. US)

Tip : Click here to view the list of Country Codes
When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter. You will then be prompted to enter the key password for youralias. Press enter if you are using the default password.

3) Generate CSR 

This file will be used for generating the public key certificate from Certificate vendor. my case it is Digicert.

keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks

where yourcsrname can be yourown naming <yourcsr>.jks and alias and keystore is same as in step2 .

After yourcsrname.csr  is being generated, copy the content or upload the csr file to your certificate authority vendor website  for generating public key certificate.

You have to choose java webserver and specify same domain name as you have given as in step1. 

Once your CA generate certficate download it in zip - crt  format and copy to your certificate_dir craeted in step1.

4)  IMPORT ROOT CERTIFICATE  YOURKEYSTORE.JKS:

keytool -import -v -trustcacerts -alias root -file TrustedRoot.crt -keystore  yourkeystore.jks

Here the alias is root not your alias and TrustedRoot.crt is the root certificate in zip file. the naming may be different across certificate vendors. But Digicert has this naming.

All the intermediate certificate must be imported to your keystore as in general synatx below.

keytool -import -v -trustcacerts -alias <all_other_certificate_name> -file  <all_other_certificate_name>.crt -keystore  yourkeystore.jks

Use a Unique alias name for each intermediate certificate. here I am using same name as certificate file name.

5) IMPORT MAIN CERTIFICATE TO YOURKEYSTORE.JKS

Main certficate is nothing but your public certificate with your domain name generated by certificate vendor which will be available in the zip file. Please note the alias is your alias as in step2

keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore yourkeystore.jks

if successful you must get a message "Certificate reply was installed in keystore"

if no, please reread the steps and do steps carefully , any doubt please contact me- hubaibwdr@gmail.com. its is not big deal as you may think.

Now you have your private and public keys installed / imported to yourkeystore.jks file.

6) Setup the certificate in glassfish to use in HTTPS

Please keep in mind - you may already know the basics though. Https protocol default port is 443 and default certificate alias in glassfish in "s1as". You have to replace s1as with yourown alias as you have mentioned in step1-  all the references in domain.xml which located in domain config directory glassfish server. 

Now its time to copy yourkeystore.jks to your Glassfish domain/<your_domain>/config directory. Before you do this please keep th backu of your domain directory, so that you can play arround, if somthing goes wrong.

You would have noticed the default glassfish keystore file in domain/config directory.

You just take a backup and rename yourown.jks file to keystore.jks

Now Go to your glassfish admin console >configuration>server>Http>https_listerner-2 

Change the port to 443 and go to SSL tab

mention in alias - youralias. Please be reminded  all the default "s1as" is alraedy replaced in domain.xml, right?. rest all keep it as it is.

Now restart your glassfish domain and check https://yourwebdomain/  

You must see the SECURE and certificate issued and authorized by your certificate vendor. 

You all done. any exception , please write to my email hubaibwdr@gmail.com, because I believe that when you share  knowledge , there nothing to be lost but you improve yourself too. Thanks.

if you find any mistake in this steps , I would love to know and correct myself.