import ssl certificate in Glassfish

Question

i have the following issue:

I obtain a free certificate from comodo (90 days) for my glassfish web application and then i have imported the certs into glassfish 3.1 by f

Answer 1

Preconditions:

• installed keytool and GlassFish 4.x (with default keystore password changeit)
• your source keystore used to generate CSR
  • e.g. ~/mySourceKeystore.jks with password myPassword and private key with alias myAlias
• your valid certificate (obtained from CA)
  • e.g. ~/myCertificate.crt with password myPassword and alias myAlias
• certificate of CA (obtained from CA)
  • e.g. ~/AwesomeCA.crt

Here are all steps how to import SSL certificate into GlassFish:

1. Navigate to GLASSFISH-HOME/domains/domain1/config

2. Import your source keystore (with private key) into GlassFish keystore:

   $ keytool -importkeystore -srckeystore ~/mySourceKeystore.jks -destkeystore keystore.jks`
   Enter destination keystore password: changeit
   Enter source keystore password: myPassword
   Entry for alias server successfully imported.
   Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
   

3. Import certificate of CA into GlassFish keystore:

   $ keytool -import -v -trustcacerts -alias AwesomeCA -file ~/AwesomeCA.crt -keystore keystore.jks
   Enter keystore password: changeit
   Certificate was added to keystore
   [Storing keystore.jks]
   

4. Import obtained SSL certificate into GlassFish keystore:

   $ keytool -import -v -trustcacerts -alias myAlias -file ~/myCertificate.crt -keystore keystore.jks
   Enter keystore password: changeit
   Enter key password for : myPassword
   Certificate reply was installed in keystore
   [Storing keystore.jks]
   

5. At this moment error java.security.UnrecoverableKeyException: Cannot recover key would occur during GlassFish startup because you have different keystore password and alias key password. To prevent this error you need to execute:

   $ keytool -keypasswd -alias myAlias -new changeit -keystore keystore.jks
   Enter keystore password: changeit
   Enter key password for : myPassword
   

6. Change default alias (s1as) in GlassFish to your myAlias:

   $ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=myAlias
   

7. (Optional) You can change default SSL port (8181) in GlassFish to well known 443:

   $ asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443
   

8. Restart GlassFish