CopyDisable

Friday, 25 October 2013

Hands On: Deploying SSL certificate in Glassfish

In this hands on I will show you how to deploy comodo 90 days trial SSL certificate in Glassfish server.

For this I will mainly use java keytool command. First I will create the private key and a separate KeyStore (we may use the default keystore.jks KeyStore of glassfish) for this example.

The command is:

keytool -genkey -keysize 2048 -genkey -alias pranabtest.co.in -keyalg RSA  -keystore serverkeystore.jks

Suppose my site is pranabtest.co.in and I kept the alias for the private key same as my domain name. The command will ask for the password of this KeyStore, keep it same as the glassfish master password. Enter all the required information and  keep the private key’s password same as the KeyStore password to avoid any future issues.

image

We can view the keys in the KeyStore using the following command:

keytool -list -keystore serverkeystore.jks

image

Now I will generate CSR (certificate signing request) and submit it to receive our 90 days trial SSL certificate from comodo (or some other CA).

keytool -certreq -alias pranabtest.co.in -keystore serverkeystore.jks –file pranabtest.csr

The above command will create a file named pranabtest.csr. Copy the content of the file and submit it in the comodo site’s Provide your CSR page.

After finishing some steps, I will receive the SSL certificate, CA root and intermediate certificates in a zip file in my mail (e.g. pranabtest_co_in.zip).

This zip file contains five files: AddTrustExternalCARoot.crt, ComodoUTNSGCCA.crt, EssentialSSLCA_2.crt, UTNAddTrustSGCCA.crt and my site’s certificate pranabtest_co_in.crt

We have to import all the files into our KeyStore:

First I will import the CA root certificate. If this command returns that this certificate is already exists, then select no

keytool -import -alias root -keystore serverkeystore.jks -trustcacerts -file AddTrustExternalCARoot.crt

 

Then I will import the three intermediate CA certificates

keytool -import -alias comodo -keystore serverkeystore.jks -trustcacerts -file ComodoUTNSGCCA.crt
Certificate was added to keystore

keytool -import -alias essential -keystore serverkeystore.jks -trustcacerts -file EssentialSSLCA_2.crt
Certificate was added to keystore

keytool -import -alias utn -keystore serverkeystore.jks -trustcacerts -file UTNAddTrustSGCCA.crt
Certificate was added to keystore

Finally I will import the SSL certificate for my site:

Here remember to keep the same name for the alias (as the private key alias we created with the KeyStore), otherwise the validation chain will not get completed.

keytool -import –alias pranabtest.co.in -keystore serverkeystore.jks -trustcacerts –file pranabtest_co_in.crt
Certificate reply was installed in keystore

So our certificate installation is finished, now we have to tell Glassfish to use this certificate.

I changed the SSL settings for my 2nd http listener, in Certificate NickName enter the alias for our certificate (i.e. pranabtest.co.in) and also the Key Store name.

image

 

*******************************************************************************

2 minutes break story:

Once I made a mistake, I imported my site’s certificate with a different alias. Say I created my private key with alias pranabtest.co.in and imported my site’s certificate with alias pranabtest.public. I used the alias for my certificate pranabtest.public in Certificate NickName field of Glassfish HTTP listener’s SSL configuration. But I started getting the following error in my server.log

SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.

and

ProtocolChain exception java.lang.NullPointerException

The solution was to delete my site’s certificate from the KeyStore (i.e. delete pranabtest.public) and import it again (with alias pranabtest.co.in).

End of 2 minutes break story

*******************************************************************************

 

Next I will stop the Glassfish domain, and take backup of the domain.xml file. Then replace all occurrence of s1as (certificate nickname) with pranabtest.co.in which is the certificate alias and keystore.jks with my new KeyStore serverkeystore.jks in domain.xml file.

Start Glassfish and open the site using the secured port.