How to Install an SSL Certificate on GlassFish?
Planning to install an SSL certificate on GlassFish but don’t know how? Don’t worry; we will help you out. You can follow a straightforward process that only involves five steps, and here are those five steps:
- Unzipping and extracting the files
- Uploading the extracted files to the GlassFish server
- Importing keystore into GlassFish default keystore
- Entering passwords
- Updating the configuration of your server
One prerequisite must be completed before we start understanding the installation process: CSR Generation. Hence, let’s begin the process from the beginning to get a clear picture of how things are done.
CSR Generation for GlassFish
If you are new to SSL certificates, let me tell you what a CSR is, as this will help you understand the process much better. The full form of CSR is a “Certificate Signing Request.” CSR is an encoded text sent to CA so that they can verify the company’s or website’s identity.
Now, returning to the topic – “How to generate CSR?” To accomplish this task, there are two steps, and you can follow any one of these:
- Use a CSR Generator tool to generate CSR automatically.
- Do it manually
Note: If you have decided to do it manually, remember that all the information you provided in the CSR should be the latest and correct, or else the CA will not sign your certificate.
After the generation of CSR, open the file in a text editor like Notepad or TextPad and review the file for possible typos or spelling mistakes. Once sure that there are no mistakes, send it to a CA.
The duration for certificate files to reach you may differ depending on the type of validation you have selected for your website. Once you have received the certificate, import all the files containing your secret key into the GlassFish keystore.
(It’s the identical keystore you’ve utilized to develop your CSR.) With this, the prerequisite is complete, and we can finally move to the installation process.
Installing an SSL Certificate on GlassFish
For a better understanding, let’s go through the installation process in the form of steps:
Step 1: Unzipping and Extracting the Files
Open or double-click the .zip folder and extract the certificate files. Once you have unzipped and extracted the files, you will notice that the files are available in two formats:
- PEM (.ca-bundle and .crt)
- PKCS#7 (.cer files and .p7b)
Recommended: What Is a PEM File & How to Create It?
Step 2: Uploading the Extracted files to the GlassFish server
Choose a single format and start the uploading process. If you choose PEM, follow the steps mentioned in Scenario 1 or directly move to Scenario 2 if you have selected the PKCS#7 format.
Scenario1
Step1: Import the Root and Intermediate Certificates (CA bundle) by using the command given below:
keytool -import -trustcacerts -alias ca -file file.ca-bundle -keystore mykeystore.jks
Note: The alias name and keystore alias names should not be the same.
Step 2: Utilize the below-written code to upload the files after importing the SSL certificate:
keytool -import -trustcacerts -alias myalias -file file.crt -keystore mykeystore.jks
Note: The alias and keystore alias names should be the same.
Scenario2:
Step 1: Use the command given below to upload every single file in one go:
keytool -import -trustcacerts -alias myalias -file file.p7b -keystore mykeystore.jks
The alias attribute must match the alias set for your keystore.
Note: You will be prompted to enter the keystore password and ensure that the attribute – myalias, matches the alias set for your keystore. (If you have doubts, use this command: “keytool -list -v -keystore mykeystore.jks” to see the alias name.)
Step 3. Importing Keystore into GlassFish Default Keystore
After preparing the keystore, your next step is to import it into the GlassFish keystore (default). If you are not aware of where it is or where to find it, you can follow the path given below:
glassfish4/glassfish/domains/domain1/config/keystore.jks
Note: Domain1 is created by default by the GlassFish server, and if you are planning to add another domain, use the GlassFish directory rather than using the default directory.
You can use the command given below to import one keystore into another:
keytool -importkeystore -srckeystore mykeystore.jks -destkeystore keystore.jks
Step 4. Entering Passwords
GlassFish keystores and GlassFish master (domain) passwords should be similar, or else the SSL certificate won’t perform.
Step 5. Updating the Configuration of your server
To enable a new SSL Certificate, you need the configuration of your GlassFish server to be updated. Again as in step 2, there are two methods to do this.
- Using Administration Console
- Editing the domain.xml file manually.
If you plan to use the console, follow the steps mentioned in Scenario 1 or directly move to Scenario 2 if you have chosen to do it manually.
Scenario 1: Step 1: Start secure administration attribute or feature by running the below command:
asadmin enable-secure-admin yoursite.com
Note: Don’t use “yoursite.com” as shown in the command; instead, use your domain name.
Step 2: Access the Administration Console by connecting to https://yoursite.com:4848.
Step 3: Disregard the warning prompt and follow the path given below:
Configurations > server-config > HTTP Service > HTTP Listeners > http-listener-2:
Step 4: Navigate to the “SSL” tab and input the certificate alias in the Certificate Nickname area or field; keystore and certificate alias are the same for reference. Revise HTTPS port from 8181 to 443. (8181 is the default port.) This can be done by navigating to the General tab.
Scenario 2:
If you don’t know the location ofthe file (domain.xml), you can follow this path:
glassfish4/glassfish/domains/domain1/config/domain.xml.
Step 1: Stop the GlowFish service so that you can safely perform the update by using the command given below:
asadmin stop-domain yoursite.com
Note: Replace the term “yoursite.com” and use the actual “domain name.“
Step 2: Open thedomain.xml file, and to accomplish this, you can use any text editor.
Step 3: Use the find option (Ctrl+F) to find an attribute known as slas and substitute it with the certificate alias (myalias).
Step 4: After saving the file, initiate the domain by using the command below:
asadmin start-domain yoursite.com
Testing the Installation
It is always advisable to check or test the certificate’s installation status. To do this, use SSL Checker. If there are any vulnerabilities or potential errors, you can find them instantly and get a detailed report using this tool.