发表新帖
发表新帖

import ssl certificate in Glassfish

后端 未结
关注
3 776
南笙
南笙 2021-02-02 02:07

i have the following issue:

I obtain a free certificate from comodo (90 days) for my glassfish web application and then i have imported the certs into glassfish 3.1 by f

相关标签:
3条回答
  • 遇见更好的自我
    2021-02-02 02:38

    Preconditions:

    • installed keytool and GlassFish 4.x (with default keystore password changeit)
    • your source keystore used to generate CSR
      • e.g. ~/mySourceKeystore.jks with password myPassword and private key with alias myAlias
    • your valid certificate (obtained from CA)
      • e.g. ~/myCertificate.crt with password myPassword and alias myAlias
    • certificate of CA (obtained from CA)
      • e.g. ~/AwesomeCA.crt

    Here are all steps how to import SSL certificate into GlassFish:

    1. Navigate to GLASSFISH-HOME/domains/domain1/config

    2. Import your source keystore (with private key) into GlassFish keystore:

      $ keytool -importkeystore -srckeystore ~/mySourceKeystore.jks -destkeystore keystore.jks`
Enter destination keystore password: changeit
Enter source keystore password: myPassword
Entry for alias server successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

    3. Import certificate of CA into GlassFish keystore:

      $ keytool -import -v -trustcacerts -alias AwesomeCA -file ~/AwesomeCA.crt -keystore keystore.jks
Enter keystore password: changeit
Certificate was added to keystore
[Storing keystore.jks]

    4. Import obtained SSL certificate into GlassFish keystore:

      $ keytool -import -v -trustcacerts -alias myAlias -file ~/myCertificate.crt -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword
Certificate reply was installed in keystore
[Storing keystore.jks]

    5. At this moment error java.security.UnrecoverableKeyException: Cannot recover key would occur during GlassFish startup because you have different keystore password and alias key password. To prevent this error you need to execute:

      $ keytool -keypasswd -alias myAlias -new changeit -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword

    6. Change default alias (s1as) in GlassFish to your myAlias:

      $ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=myAlias

    7. (Optional) You can change default SSL port (8181) in GlassFish to well known 443:

      $ asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443

    8. Restart GlassFish

    0 讨论(0)
  • 走了就别回头了
    2021-02-02 02:38

    For Glassfish 4.x you can follow this Comodo Guide

    Here is the web archive if link expires.

    0 讨论(0)
  • 难免孤独
    2021-02-02 02:58

    Unfortunately I don`t have enough reputation to post images of glassfish console admin, but let me try to help somebody just using text.

    NOTE1: The configuration was done on Ubuntu 12.04 server and glassfish 3.1.2

    Comodo gives you 4 files

    • your_domain.key (your private key)
    • your_domain.crt (your public key)
    • PositiveSSLCA2.crt (CA public key)
    • AddTrustExternalCARoot.crt (CA public key)

    Import every public key into the file cacerts.jks. To do that merge the public key files in one file:

    NOTE2: The order of the files DOES matter.

    cat your_domain.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt  > all.crt

    Now import them using keytool:

    keytool -import -trustcacerts -alias tomcat -file all.crt -keystore cacerts.jks

    Create a p12 file with your private key:

    NOTE3: You can use the same password for every file to make things easier.

    openssl pkcs12 -export -in all.crt -inkey your_domain.key -out your_domain.p12 - name your_alias -CAfile PositiveSSLCA2.crt -caname immed

    NOTE4: Don`t forget you alias (your_alias), you will need to reference it in glassfish admin console later.

    Now import the private key using keytool:

    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore your_domain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias your_alias

    Now your keystore.jks (with your private keys) and your cacerts.jks (with you public key) are ready to me used. If you want to check if everything is ok run:

    keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks

    Go to the glassfish admin console and find the session:

    • Configurations->server-config->HTTP Service->Http Listeners->http-listener-2

    Go to the SSL tab and change the Certificate NickName to your_domain.

    Restart Glassfish server.

    0 讨论(0)
 看不清?
提交回复
热议问题