(2 votes, average: 5.00 out of 5)
Loading...How to Generate a CSR on GlassFish?
(2 votes, average: 5.00 out of 5)Loading...
In order to obtain a Secure Socket Layer (SSL) certificate for securing Glassfish applications, you will need a Certificate Signing Request or CSR. The Certificate Signing Request (CSR) consists of your server’s public key and your identifying information, as well as providing the Certificate Authority (CA) with the necessary information to create a trusted SSL certificate.
The following steps will walk you through the creation of a CSR using the built-in Java keytool utility, as well as preparing the Glassfish environment for SSL support.
Prerequisites
To begin generating a CSR and setting up SSL on Glassfish, the following prerequisites must be met:
- You must have Glassfish installed and running.
- You must have the Java Development Kit (JDK) installed; the JDK includes the keytool.
- You must have administrative privileges to the Glassfish domain directory.
- You must have a Fully Qualified Domain Name (FQDN) for your website or web application.
- You must have the appropriate permissions to make changes to the keystore.jks and domain.xml files.
- You should have some familiarity with working from the command line.
Steps to Generate a CSR on GlassFish Server
Step 1: Review the Default Keystore
Newly created GlassFish domains already include a self-signed certificate in:
DOMAIN_DIR/config/keystore.jksThe default keystore password is changeit, and the default certificate alias is s1as.
To view existing certificates, run:
keytool -list -keystore keystore.jksEnter the default password changeit when prompted.
You should see an entry similar to:
s1as, Dec 28, 2010, PrivateKeyEntryGlassFish references this alias (s1as) in several places within the domain.xml file. These references can be updated later to point to your new certificate alias.
Step 2: Change the Default Keystore Password (Recommended)
For security reasons, it is strongly recommended to change the default keystore password.
Run:
keytool -storepasswd -keystore keystore.jksWhen prompted:
- Enter the old password: changeit
- Enter and confirm a new strong password
This password becomes the master password for your keystore. You will be asked for it during every keystore operation and when starting your GlassFish domain. Store it securely.
Step 3: Generate a New Private Key Entry
Create a new private key entry in keystore.jks using your domain information:
keytool -keysize 2048 -genkey -alias mydomain.com -keyalg RSA -dname "CN=mydomain.com,O=Company,L=City,S=State,C=Country" -keystore keystore.jksNotes:
- Use a minimum key size of 2048 bits
- Replace mydomain.com with your actual domain name
- Replace the organization details with your real company information
- The alias (mydomain.com) will be used later for CSR creation and certificate installation
- Enter your keystore password when prompted
Step 4: Generate the CSR File
The steps to create a Certificate Signing Request (CSR) file using the alias that you created for the self-signed certificate:
To create the CSR, execute the following command:
keytool -certreq -alias mydomain.com -keystore keystore.jks -file cert_req.csrYou will be prompted to enter your keystore password. The cert_req.csr file contains the information necessary to create the CSR.
Step 5: Submit the CSR to a Certificate Authority
- Open the cert_req.csr file in an editor such as Notepad or Vim.
- Copy everything between the lines shown below:
—–BEGIN NEW CERTIFICATE REQUEST—–
—–END NEW CERTIFICATE REQUEST—–
- Paste the copied CSR into the SSL Certificate order or validation form on the CA’s website.
Depending on which type of certificate you ordered (DV, OV/BV, or EV), the time frame for receiving a certificate from the CA varies:
- DV certificates typically take only a few minutes, whereas
- OV or EV certificates may take several business days to receive.
Conclusion
Generating a CSR on your GlassFish Server is pivotal to securing your application with SSL/TLS by enabling HTTP Secure (HTTPS) encryption and protecting the confidentiality of your users and transactions.
To accomplish this, you must first review and secure the default keystore, create a new private key entry, and finally generate a CSR for your server so it can be verified by a trusted Certificate Authority (CA).
Once you receive your certificate from the CA, follow the steps to install it into your GlassFish Server and set up the certificate to activate HTTPS and secure the transport of sensitive information.
