Self-signed certificate in Glassfish Web Server

April 14th, 2011 by Chandra Leave a reply »

Use keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run. You can find the keytool utility under the bin directory of java folder.

Note: – When you install Glassfish, it creates a default self-signed certificate as the server certificate. (localhost)

Delete exiting certificate :-

Type the following command to delete the default self-signed certificate by issuing the following command.

keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>

Generate self signed certificate

Steps 1:- Type the following command to create new certificate:
keytool -genkey -alias test

Fill all the information to create the certificate.

Enter keystore password: p@ssw0rd!
What is your first and last name?
[Unknown]: Chandra
what is the name of your organizational unit?
[Unknown]: CompanyName
what is the name of your organization?
[Unknown]: CompanyName
what is the name of your City or Locality?
[Unknown]: Gurgaon
What is the name of your State or Province?
[Unknown]: HR
What is the two-letter country code for this unit?
[Unknown]: IN
Is <CN=Chandra, OU=, O=CompanyName, L=Gurgaon, ST=HR, C=IN> correct?
[no]: yes

Import certificate

A certificate can be imported into a keystore using keytool. Type the following command to import the certificate:-
keytool -storepass my-keystore-password() -alias test -import -file test.cer

Generate expired certificate


Default days is 7 and cant not be set 0 day. You need to specify at least 1 day to create.

keytool -genkey -alias test –validity 1

Generate certificate without trusted root


Follow up the first step

Generate certificate with invalid CN


Follow up the first step and give the invalid CN whatever you want to keep while ask the keytool utility during the creating of certificate.

Note: – To change the location of certificate files – admin console.

Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config.

Open the Glassfish admin console in the web browser.

Login into glassfish admin console (http://localhost:4848), Default uid and password: admin and adminadmin

a)      In the Admin Console tree, select the Application Server node.

b)      Select JVM Settings.

c)      Click the JVM Options tab.

d)     On the JVM Options page, add or modify the following values in the Value field to reflect the new location of the certificate files:${com.sun.aas.instanceRoot}/path/${com.sun.aas.instanceRoot}/path/ts-name

e)      Where ks-name is the keystore file name and ts-name is the trust store file name.

f)       Click Save.

g)      Restart the Application Server if Restart Required displays in the console.

Install certificate in GlassFish server

Here are the instructions for enabling GlassFish v2 as an SSL server when the application server is configured with the developer profile.

  1. Delete the default self-signed certificate by issuing the following command (note that the commands in this and subsequent steps are shown on multiple lines for formatting purposes):

keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>

where <store_passwd> is the password for the keystore, for example, “mypass”. Note that s1as is the default alias of the GlassFish v2 keystore.

  1. Generate a new key pair for the application server by issuing the following command:

keytool -genkeypair -keyalg <key_alg>
-keystore keystore.jks -validity <val_days> -alias s1as

where <key_alg> is the algorithm to be used for generating the key pair, for example RSA, and <val_days> is the number of days that the certificate should be considered valid, for example, 365.

Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias.

It’s important to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don’t match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should notice that the name of the default self-signed certificate matches the fully-qualified hostname.

  1. Generate a Certificate Signing Request (CSR) by issuing the following command:

keytool -certreq -alias s1as -file <certreq_file>
-keystore keystore.jks -storepass <store_passwd>

where <certreq_file> is the file in which the CSR is stored, for example, s1as.csr, and <store_passwd> is the password for the keystore, for example, changeit.

  1. keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass <store_passwd>

When you import the certificate using the same original alias “s1as”, keytool treats it as a command to replace the original certificate with the certificate obtained as reply to a CSR.

s1as (self-signed):

Owner: CN=chandra, OU=CompanyName, O=CompanyNamr, L=Gurgaon , ST=Haryana, C=IN
Issuer: CN=Chandra, OU=CompanyName, O=CompanyName, L=Gurgaon, ST=Haryana, C=IN
Serial number: 472acd34
Valid from:

  • Darcade

    hey i need a password to delete te keystore but i dont know it i tried all my passwords…

  • Darcade

    ups the password was changeit :D DD

blog comments powered by Disqus