In this tutorial we will be reusing a "star" or "wildcard" SSL/TSL certificate ( http://en.wikipedia.org/wiki/Wildcard_certificate ) from Apache on Glassfish.

Gather required files from Apache (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile)

Before you can begin, you'll need to gather three files from your Apache server. To use the Apache terminology:

In this tutorial, we're storing all these files in /tmp/certs but the key especially should be kept secure:

[root@dvn-vm2 config]# ls -1d /tmp/certs/*
/tmp/certs/server-chain.crt
/tmp/certs/server.crt
/tmp/certs/server.key

Navigate to the "config" directory of domain1 on Glassfish

In my case, I installed Glassfish using glassfish-3.1.2.2.zip

[root@dvn-vm2 glassfish3]# cd glassfish/domains/domain1/config
[root@dvn-vm2 config]# 

Probably it's best to stop Glassfish at this point:

[root@dvn-vm2 config]# ../../../bin/asadmin stop-domain

List entries in keystore.jks

As a sanity check, we first list the entries in the Glassfish keystore.jks before we make any changes to it.

Now would be a good time to back it up. :)

[root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

glassfish-instance, Jul 11, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
s1as, Jul 11, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
[root@dvn-vm2 config]# 

Construct a CAfile

cat /tmp/certs/server-chain.crt /etc/ssl/certs/ca-bundle.crt > /tmp/certs/ca.crt

Created intermediary pkcs12 keystore from SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile files

This step and the one following comes primarily from http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863

[root@dvn-vm2 config]# openssl pkcs12 -export -in /tmp/certs/server.crt -inkey /tmp/certs/server.key -out /tmp/certs/server.p12 -name some-alias -CAfile /tmp/certs/ca.crt -caname root -password pass:some-password -chain

No output is expected since we supplied the openssl export password on the command line.

We use --chain so that we see something other than 1 for "Certificate chain length" in the output keytool -list and to satisfy some browsers as described at http://i-cat.blogspot.com/2009/02/glassfish-and-intermediate-ssl.html

Import the pks12 keystore into Glassfish's keystore.jks

Please not that we need the export password from above to import the pks12 keystore:

[root@dvn-vm2 config]# keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore /tmp/certs/server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias

Note that a new entry has been added to keystore.jks

We called the entry "some-alias" because that's what was used in the Stack Overflow post but we could have used anything.

Use -v for verbose output, such as to see the certificate chain.

[root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

some-alias, Nov 4, 2013, PrivateKeyEntry, 
Certificate fingerprint (MD5): 8B:C7:89:D0:F4:F8:1C:F6:10:EC:B6:2C:D8:5D:4B:F4
glassfish-instance, Jul 11, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
s1as, Jul 11, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
[root@dvn-vm2 config]# 

Reconfigure Glassfish to use the new certificate

Search and replace "s1as" with the name of your alias (i.e. "some-alias") in domain.xml. Here is an example change.

[root@dvn-vm2 config]# diff domain.xml.self-signed domain.xml | head -4
82c82
<           <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" />
---
>           <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="some-alias" />
[root@dvn-vm2 config]# 

Start Glassfish and verify the cert in your browser

[root@dvn-vm2 config]# ../../../bin/asadmin start-domain

Home | About | Sitemap | Recent changes | © 2016 Philip Durbin | @philipdurbin | philipdurbin@gmail.com