Knowledgebase
CSR Generation and Certificate Installation: Glassfish 4.x

 

1. CREATE KEYSTORE:

Use the following command to create a keystore:

> keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048

Note: You will be prompted to enter keystore password when you run the above command. The password of the newly created keystore must match the Glassfish's master password, since the master password is used to access the certificate keystore. The default master password is “changeit” and can be changed with the help of the “change-master-password” sub-command. Afterwards, you will be prompted for the following:

Ensure the details filled in here correspond to those communicated to us at the point of purchasing,

What is your first and last name? = Your Domain Name (e.g. www.comodo.com)
What is the name of your organizational unit? = Your Department (e.g. IT)
What is the name of your organization? = Your Organization (e.g. Comodo CA Ltd)
What is the name of your City or Locality? = Your City (e.g. Clifton)
What is the name of your State or Province? = Your State (e.g. New Jersey)
What is the two-letter country code for this unit? = Your Country Code (e.g. US)

Tip : Click here to view the list of Country Codes


When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter. You will then be prompted to enter the key password for youralias. Simply press enter to leave the key password the same as the keystore password.

 
3. GENERATE CSR:

Use the following command to generate a CSR,

> keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks

 
Note: Make sure that you specify the same values as in the previous command for [youralias] and [yourkeystorename].

 
4. SUBMIT THE CSR:

If you purchased the certificate directly from COMODO, login to your account ( https://secure.instantssl.com ) and upload the CSR contents on the required order. 


5. IMPORT THE CERTIFICATES INTO THE KEYSTORE:

If you have received the certificate files from COMODO, its time to import them into the keystore. You can use PEM-encoded or PKCS#7 pr DER encoded .CER certificate files for importing into the keystore.

  • PEM

If you have received four certificate files ZIP, run the following commands.

> keytool -import -v -trustcacerts -alias root -file addtrustexternalcaroot.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias COMODORSAAddTrustCA -file COMODORSAAddTrustCA.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore yourkeystorename.jks

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore yourkeystorename.jks

 Note: Each certificate file needs to be imported with a unique alias value and the domain certificate’s alias must match the keystore alias.


  • PKCS#7

    You can install the the domain certificate (CRT) file on a (up to date) Windows machine and then export the p7b file.

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.p7b -keystore yourkeystorename.jks


  • DER Encoded .CER

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.cer -keystore yourkeystorename.jks

Note: The above command only works on Java 7 and above

 
6. IMPORTING THE ORIGINAL KEYSTORE INTO THE DEFAULT KEYSTORE:

After the certificates are successfully imported into the keystore, we need to move the certificates and the corresponding private key into the Glassfish default keystore named “keystore.jks”. Usually this file is located in the glassfish4/glassfish/domains/domain1/config directory, although the path to this file may slightly vary depending on the Glassfish installation folder and operating system. The following keytool command should be used for importing one keystore into another:

> keytool -importkeystore -srckeystore yourkeystorename.jks -destkeystore keystore.jks

NOTE: Since the end-point keystore password and Glassfish master password must match, make sure that you have the same passwords for the source and destination keystore. If they are different, it is possible to change the Glassfish master password with the help of the “change-master-password” sub-command specifying the source keystore password. This action will update the destination keystore password as well.


 7. CONFIGURE HTTP-LISTENER-2:

On the Glassfish Admin console, go to Configurations -> Server Config -> http-listener-2 and:

  1. Under the General tab, change the port from 8181 to 443 ( unless you want to use a different port )
  2. Under the SSL tab, change the Certificate NickName from s1as to the alias of the main certificate (youralias) (which should be the same as the keystore alias)
  3. Save.


8. VERIFY THE INSTALLATION: 

Please use our SSL Analyzer to get a brief report of your server's security settings and certificate installation.

 

(19 vote(s))
Helpful
Not helpful

Comments (0)