How to Install Certificates on GLASSFISH Server

1. CREATE DIRECTORY FOR THE KEYSTORE AND CSR:

Open a command prompt and type the following:

> mkdir sslcert

Then cd to the newly created directory by typing the following command:

> cd sslcert

2. CREATE KEYSTORE:

Use the following command to create a keystore:

> keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048

You will be prompted to enter keystore password. The default password that comes with glassfish is "changeit" except you have changed yours. Afterwards, you will be prompted for the following:

Ensure the details filled in here correspond to those communicated at the point of purchasing,

What is your first and last name? = Your Domain Name (e.g. www.xyz.com)
What is the name of your organizational unit? = Your Department (e.g. IT)
What is the name of your organization? = Your Organization (e.g. XYZ CA Ltd)
What is the name of your City or Locality? = Your City (e.g. Clifton)
What is the name of your State or Province? = Your State (e.g. New Jersey)
What is the two-letter country code for this unit? = Your Country Code (e.g. US)

Tip : Click here to view the list of Country Codes

When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter. You will then be prompted to enter the key password for youralias. Press enter if you are using the default password.

3. GENERATE CSR:

Use the following command to generate a CSR

> keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks

Note: Use the same alias name you used for generating the keystore.

4. IMPORT ROOT CERTIFICATE TO CACERTS.JKS AND KEYSTORE.JKS:

> keytool -import -v -trustcacerts -alias root -file addtrustexternalcaroot.crt -keystore keystore.jks

5. IMPORT INTERMEDIATE CERTIFICATE TO CACERTS.JKS AND KEYSTORE.JKS:

> keytool -import -v -trustcacerts -alias XYZRSAAddTrustCA -file XYZRSAAddTrustCA.crt -keystore keystore.jks

> keytool -import -v -trustcacerts -alias XYZRSADomainValidationSecureServerCA -file XYZRSADomainValidationSecureServerCA.crt -keystore keystore.jks

Note : Use a Unique alias name for each intermediate certificate.

6. IMPORT MAIN CERTIFICATE TO KEYSTORE.JKS (THE ALIAS SHOULD BE SAME AS THAT OF THE KEYSTORE):

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore keystore.jks

You should you should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.

7. CONFIGURE HTTP-LISTENER-2:

On the Glassfish Admin console, go to Configurations -> Server Config -> http-listener-2 and:

1. Under the General tab, change the port from 8181 to 443
2. Under the SSL tab, change the Certificate NickName from s1as to the alias of the main certificate (youralias) (which should be the same as the keystore alias)
3. Save

8. REFERENCE INSTALLED CERTIFICATE IN THE DOMAIN.XML:

Open the /config/domain.xml and replace all references of s1as with the alias of the installed certificate (youralias)