Installing a CA signed certificate for glassfish

Posted: 2008-08-09

Instead of using a self-signed certificate with glassfish - we want to use one that is signed by a certificate authority.

Based on

For this entire post - the keystore.jks file is the one found in the glassfish domain config - e.g. glassfish/domains/domain1/config/keystore.jks

First - generate a keypair (this will generate a full self-signed certificate)

keytool -genkeypair -keyalg RSA -keystore keystore.jks
-storepass changeit -validity 365

Then - generate a signing request

keytool -certreq -alias
-file newreq.pem -keystore keystore.jks
-storepass changeit

Send the generated certificate request off for signing (or sign it yourself if using a self-generated CA).

The sun blog has a java app for doing the replacement of the self-generated with the signed certificate. Attached to this post is that file and also compiled with JDK 6.

This seems to want the certificate in DER form - not PEM.

openssl x509 -in newcert.pem -inform PEM -out newcert.der -outform DER

java -cp . ReplaceCertInKeystore newcert.der keystore.jks changeit

You can check if this is successful:

keytool -list -v -alias -keystore keystore.jks -storepass changeit

In the output of this command - check to see the details under "Issuer". This should be the details of the signing authority.