In this tutorial we will be reusing a "star" or "wildcard" SSL/TSL certificate ( http://en.wikipedia.org/wiki/Wildcard_certificate ) from Apache on Glassfish.
- Gather required files from Apache (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile)
- Navigate to the "config" directory of domain1 on Glassfish
- List entries in keystore.jks
- Construct a CAfile
- Created intermediary pkcs12 keystore from SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile files
- Import the pks12 keystore into Glassfish's keystore.jks
- Note that a new entry has been added to keystore.jks
- Reconfigure Glassfish to use the new certificate
- Start Glassfish and verify the cert in your browser
Gather required files from Apache (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile)
Before you can begin, you'll need to gather three files from your Apache server. To use the Apache terminology:
- SSLCertificateFile (server.crt) Server PEM-encoded X.509 Certificate file http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile
- SSLCertificateKeyFile (server.key) Server PEM-encoded Private Key file http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatekeyfile
- SSLCertificateChainFile (server-chain.crt) File of PEM-encoded Server CA Certificates http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatechainfile
In this tutorial, we're storing all these files in /tmp/certs but the key especially should be kept secure:
[root@dvn-vm2 config]# ls -1d /tmp/certs/*
/tmp/certs/server-chain.crt
/tmp/certs/server.crt
/tmp/certs/server.key
Navigate to the "config" directory of domain1 on Glassfish
In my case, I installed Glassfish using glassfish-3.1.2.2.zip
[root@dvn-vm2 glassfish3]# cd glassfish/domains/domain1/config
[root@dvn-vm2 config]#
Probably it's best to stop Glassfish at this point:
[root@dvn-vm2 config]# ../../../bin/asadmin stop-domain
List entries in keystore.jks
As a sanity check, we first list the entries in the Glassfish keystore.jks before we make any changes to it.
Now would be a good time to back it up. :)
[root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
glassfish-instance, Jul 11, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
s1as, Jul 11, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
[root@dvn-vm2 config]#
Construct a CAfile
cat /tmp/certs/server-chain.crt /etc/ssl/certs/ca-bundle.crt > /tmp/certs/ca.crt
Created intermediary pkcs12 keystore from SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile files
This step and the one following comes primarily from http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863
[root@dvn-vm2 config]# openssl pkcs12 -export -in /tmp/certs/server.crt -inkey /tmp/certs/server.key -out /tmp/certs/server.p12 -name some-alias -CAfile /tmp/certs/ca.crt -caname root -password pass:some-password -chain
No output is expected since we supplied the openssl export password on the command line.
We use --chain so that we see something other than 1 for "Certificate chain length" in the output keytool -list and to satisfy some browsers as described at http://i-cat.blogspot.com/2009/02/glassfish-and-intermediate-ssl.html
Import the pks12 keystore into Glassfish's keystore.jks
Please not that we need the export password from above to import the pks12 keystore:
[root@dvn-vm2 config]# keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore /tmp/certs/server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias
Note that a new entry has been added to keystore.jks
We called the entry "some-alias" because that's what was used in the Stack Overflow post but we could have used anything.
Use -v for verbose output, such as to see the certificate chain.
[root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
some-alias, Nov 4, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 8B:C7:89:D0:F4:F8:1C:F6:10:EC:B6:2C:D8:5D:4B:F4
glassfish-instance, Jul 11, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
s1as, Jul 11, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
[root@dvn-vm2 config]#
Reconfigure Glassfish to use the new certificate
Search and replace "s1as" with the name of your alias (i.e. "some-alias") in domain.xml. Here is an example change.
[root@dvn-vm2 config]# diff domain.xml.self-signed domain.xml | head -4
82c82
< <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" />
---
> <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="some-alias" />
[root@dvn-vm2 config]#
Start Glassfish and verify the cert in your browser
[root@dvn-vm2 config]# ../../../bin/asadmin start-domain