openssl

For my own sites I use SSL certificates signed by my own CA.

The CA certificate needs to be imported to the machines where I use the websites and for Mac OSX it needs to go into the system keychain - not the users keychain.

Importing via Keychain Access sometimes fails with cryptic error codes.

Here's how to do it via the command line:

sudo security import  -k /Library/Keychains/System.keychain

Instead of using a self-signed certificate with glassfish (see Creating new SSL keys with keytool for glassfish) - we want to use one that is signed by a certificate authority.

Based on http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2

For this entire post - the keystore.jks file is the one found in the glassfish domain config - e.g. glassfish/domains/domain1/config/keystore.jks

I've been using self-signed certificates for a while - but - that means getting the users to approve them each time they change. Instead - lets generate a Certificate Authority (CA) certificate with a reasonably long life - get them to install that and then new certificates signed with that will be valid for them.

We will install a CA area on /etc/ssl/ca and then create a certificate signed with this.

Setup
We're going to use the script CA.pl which on debian is installed on /usr/lib/ssl/misc. But - we need to make some changes

UPDATE - progress - see end of article

I have an openssl self-signed certificate for some websites. These are based on an openssl RSA key. I can use them successfully as client keys - but - it seems that glassfish (perhaps all others - I don't know) need the key in the keystore as well as the certificate.

So - I have an RSA key file and a PEM certificate file.