This was kind of problematic for me and my colleagues, so after I manage to set our SSL certificate, I decided to share the story.
Before doing anything, back up the files under
- Generating a private key
- Creating a Certification Signing Request (CSR)
- Sending the CSR to a certificate authority
- Importing your signed certificate
- Setting necessary Glassfish configuration
First, we let’s create our private key. You can directly work on the existing keystore shipped with Glassfish, or you can create a new keystore and then import it to Glassfish’s keystore. To be more safe, I created a new keystore and generated the private key on that:
Now our private key is generated in keystore.jks file. I used keypass ‘changeit’ as key password and keystore password for now.
This results in a certificate signing request, server.csr. Now we have two files :
Next step is uploading server.csr file to one of the certificate authorities (I used Godaddy and I was pretty happy with their service) and receiving signed certificate. Certificate authorities looks for the whois record of your domain and if they find a technical representative email address, they send the signed certificate to that email. If there is no email address (like one of the domains I set up the SSL), they give you a code (like abcd123) and require you to either add a subdomain with that code or add a html page named with the code (and also with the content filled with the code).
From certificate authority, you should generally receive two files
- Your signed certificate : generally named as yourdomain.com.crt
- Root certificate of your certificate (you might receive more than one. In some cases certification authority sends the intermediate certificates) : Godaddy names it gd_bundle.crt
Next step is importing the keystore I used into the Glassfish’s keystore:
Now, the final step done on keystore is importing the signed certificate. First, we gotta switch to Glassfish’s keystore and import the root certificate:
Then, import the signed certificate of yours:
Now we’re done with the keystore. You should have something like this:
Final step of the whole process is using our domain alias as the “certificate nickname” on GlassFish: