Using your SSL certificate on Glassfish 3

This was kind of problematic for me and my colleagues, so after I manage to set our SSL certificate, I decided to share the story.

Before doing anything, back up the files under  $GFHOME/domains/yourdomain/config.

Steps are:

  1. Generating a private key
  2. Creating a Certification Signing Request (CSR)
  3. Sending the CSR to a certificate authority
  4. Importing your signed certificate
  5. Setting necessary Glassfish configuration
First, we let’s create our private key. You can directly work on the existing keystore shipped with Glassfish, or you can create a new keystore and then import it to Glassfish’s keystore. To be more safe, I created a new keystore and generated the private key on that:
cd ~
mkdir ssl-stuff
cd ssl-stuff


keytool -keysize 2048 -genkey -alias -keyalg RSA -dname ",O=Your Organization,L=Your City,S=Your State,C=Your Country Code like US, CH or TR" -keystore keystore.jks -keypass changeit -storepass changeit

Now our private key is generated in keystore.jks file. I used keypass ‘changeit’ as key password and keystore password for now.

keytool -certreq -alias -keystore keystore.jks -storepass changeit -keypass changeit -file server.csr

This results in a certificate signing request, server.csr. Now we have two files : keystore.jks  server.csr

Next step is uploading server.csr file to one of the certificate authorities (I used Godaddy and I was pretty happy with their service) and receiving signed certificate. Certificate authorities looks for the “whois” record of your domain and if they find a technical representative email address, they send the signed certificate to that email. If there is no email address (like one of the domains I set the SSL up), they give you a code (like abcd123) and require you to either add a subdomain with that code or add a html page named with the code (and also with the content filled with the code).

From certificate authority, you should generally receive two files

  • Your signed certificate : generally named as “”
  • Root certificate of your certificate (you might receive more than one. In some cases certification authority sends the intermediate certificates) : Godaddy names it “gd_bundle.crt”
Next step is importing the keystore I used into the Glassfish’s keystore:
keytool -importkeystore -srckeystore ~/ssl-stuff/keystore.jks -destkeystore $GLASSFISHHOME/domains/yourdomain/config/keystore.jks
Now, the final step done on keystore is importing the signed certificate. First, we gotta switch to Glassfish’s keystore and import the root certificate:
cd $GLASSFISH_HOME/domains/yourdomain/config
keytool -import -v -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks -keypass changeit -storepass changeit
Then, import the signed certificate of yours:
keytool -import -v -trustcacerts -alias -file -keystore keystore.jks -keypass changeit -storepass changeit
Now we’re done with the keystore. You should have something like this:
keytool -list -keystore keystore.jks

Keystore-Typ: JKS
Keystore-Provider: SUN


root, 03.06.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX, 03.06.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Final step of the whole process is using our domain alias as the “certificate nickname” on GlassFish:

About these ads

16 Responses to Using your SSL certificate on Glassfish 3

  1. Jeff says:

    I configured SSL. When try to connect to the SSL enabled port, I see the following in the server.log file:
    [#|2012-05-07T08:40:17.453-0400|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured! Keystore was tampered with, or password was incorrect

    I presume this means that my master and key store passwords are different. What do I do to rectify this?

    • Ali Ok says:

      That happened to me too once. I believe Glassfish doesn’t support it.
      I couldn’t find it in Glassfish documentation that time. I had to change my keystore’s password to my master password.

      However, you could try passing “” property to your Glassfish instance. Haven’t tried though.

      • Jeff says:

        How do I change the keystore’s password to match the master? What is the master password – is this the Admin console password? Glassfish is 3.0.1.

  2. Ali Ok says:

    Yes, it is admin console password.

    This should change the keystore password :
    keytool -storepasswd -new new_storepass -keystore keystore.jks

    • Jeff says:

      When I built the keystore I DID use the Admin console password. I have seen some information that the glassfish password is changeit. Does my keystore have to be “changeit”?

    • Jeff says:

      I changed the master password to match my keystore password and now it works.

  3. Mak says:

    Excellent description. Simply works. Thanks a ton !

    Quick addition (for GF 3.1) is :

    1. In the domain.xml file : set -> allow-lazy-init=”false”
    (This avoids exceptions at startup. )

    2. I deleted the “s1as” alias and key from the keystore completely:

    “keytool -delete -alias s1as -keystore keystore.jks”

    and replaced all references to it in the domain.xml with the alias “”, because the admin console does not update all the aliases, and exceptions continue to be thrown.

  4. Pingback: Delicious Bookmarks for October 30th from 13:56 to 23:07 « Lâmôlabs

  5. Paul says:

    I keep getting a “Connection was reset” when trying to access in browser :(

  6. Pingback: Glassfish – no admin page at Carl's notes - Things I need to get out of my head

  7. Pingback: HTTPS for Glassfish at Carl's notes - Things I need to get out of my head

  8. Pingback: Glassfish SSL error – SSL connection error | Code and Programming

  9. Manuel says:

    I had some Problems, that the Certificate chain length was 1 insted of 3…
    This post solved my Problem:

  10. srinivas k says:

    Nice write !! Thanks for the nice tutorial

  11. Pingback: Confluence: Unified Speech snap-in

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: