How Can We Help?

CSR generation and certificate installation: Glassfish 4.x

You are here:

1. Create a keystore:

Use the following command to create a keystore:

> keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048
Note: You will be asked to enter the password for the keystore when you run the above command. The password of the newly created keystore must match the master password of Glassfish, since the master password is used to access the certificate keystore. The default master password is "changeit " and can be changed using the subcommand "change-master-password “Be changed. You will then be asked to enter:

Make sure that the information you fill in here matches what you provided to us at the time of purchase.
What is your first and last name ? = Your domain name (e.g. www.Sectigo.com)
What is the name of your organizational unit ? = Your department (eg IT)
What's your name Organization ? = Your organization (eg Sectigo CA Ltd)
What is the name of your city or of your place? = Your city (eg Clifton)
What is your name state or your province ? = Your state (e.g. New Jersey)
What is the two-letter country code for this device? = Your country code (eg USA)
Tip: Click here for the list of country codes

When all of these fields have been filled in, the summary is displayed to confirm the accuracy. Type y and press Enter. You will then be asked to enter the key password for your alias. Simply press the key to keep the key password the same as the keystore password.

2. Generieren Sie CSR mit dem Keystore:

Use the following command to generate a CSR:

> keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks

Note: Make sure that you specify the same values as in the previous command for [youralias] and [yourkeystorename].

3.  Übermitteln Sie die CSR an CA:

Wenn Sie das Zertifikat direkt bei Sectigo gekauft haben, melden Sie sich bitte bei Ihrem Konto an und laden Sie die CSR- Inhalte in der erforderlichen Reihenfolge hoch  .

4. Importieren Sie die Zertifikate in den Keystore:

When you have received the Sectigo certificate files, it is time to import them into the keystore. You can use PEM-encoded or PKCS # 7 or DER-encoded .CER certificate files to import into the keystore.

  • PEM

When you have received four ZIP certificate files, run the following commands.

> keytool -import -v -trustcacerts -alias root -file  addtrustexternalcaroot.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias USERTrustR SAAddTrustCA -datei USERTrustRSAAddTrustCA.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file SectigoRSADomainValidationSecureServerCA.crt -keystore yourkeystorename.jks

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore yourkeystorename.jks
Note: Each certificate file must be imported with a unique alias value and the alias of the domain certificate must match the keystore alias.


  • PKCS # 7You can install the Domain Certificate (CRT) file on a (current) Windows computer and then export the p7b file.

> keytool -import -alias youralias -trustcacerts -file  your_domain_certificate.p7b  -keystore yourkeystorename.jks


  • DER Encoded .CER

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.cer -keystore yourkeystorename.jks
Note: The above command only works under Java 7 and higher

5. Importieren des ursprünglichen Keystores in den Standard-Keystore:

Nachdem die Zertifikate erfolgreich in den Keystore importiert wurden, müssen die Zertifikate und der entsprechende private Schlüssel in den Glassfish-Standard-Keystore mit dem Namen « keystore.jks « verschoben werden . Normalerweise befindet sich diese Datei imVerzeichnis glassfish4 / glassfish / domains / domain1 / config , obwohl der Pfad zu dieser Datei je nach Glassfish-Installationsordner und Betriebssystem leicht variieren kann. Der folgende Befehl keytool sollte zum Importieren eines Keystores in einen anderen verwendet werden:
> keytool -importkeystore -srckeystore yourkeystorename .jks -destkeystore keystore.jks
HINWEIS: Da das Endpunkt-Keystore-Kennwort und das Glassfish-Master-Kennwort übereinstimmen müssen, stellen Sie sicher, dass Sie für den Quell- und Ziel-Keystore dieselben Kennwörter verwenden. Wenn sie unterschiedlich sind, kann das Glassfish-Master-Passwort mithilfe des Unterbefehls „ change-master-password “ geändert werden, mit dem das Quell-Keystore- Passwort angegeben wird. Diese Aktion aktualisiert auch das Kennwort des Ziel-Keystores.

6 . Configure HTTP Listener-2:

In the Glassfish Admin console, go to Configurations -> Server Configuration -> http-Listener-2 and:

  1. Under the General tab, change the port from 8181 to 443 (unless you want to use a different port)
  2. Unter dem SSL – Registerkarte das ändern Nickname Zertifikat von s1as zu dem Alias des Hauptzertifikat ( youralias ) (die die gleiche wie die Keystore – Alias sein sollte)
  3. Save

8. CHECK THE INSTALLATION: 

Use the Qualys SSL Server Test Tool to get a short report on the security settings and the certificate installation of your server. Open the /config/domain.xml and replace all references of s1as with the alias of the installed certificate (youralias)

Table of Contents