Friday, 25 October 2013

Hands On: Deploying SSL certificate in Glassfish

In this hands on I will show you how to deploy comodo 90 days trial SSL certificate in Glassfish server.

For this I will mainly use java keytool command. First I will create the private key and a separate KeyStore (we may use the default keystore.jks KeyStore of glassfish) for this example.

The command is:

keytool -genkey -keysize 2048 -genkey -alias -keyalg RSA  -keystore serverkeystore.jks

Suppose my site is and I kept the alias for the private key same as my domain name. The command will ask for the password of this KeyStore, keep it same as the glassfish master password. Enter all the required information and  keep the private key’s password same as the KeyStore password to avoid any future issues.


We can view the keys in the KeyStore using the following command:

keytool -list -keystore serverkeystore.jks


Now I will generate CSR (certificate signing request) and submit it to receive our 90 days trial SSL certificate from comodo (or some other CA).

keytool -certreq -alias -keystore serverkeystore.jks –file pranabtest.csr

The above command will create a file named pranabtest.csr. Copy the content of the file and submit it in the comodo site’s Provide your CSR page.

After finishing some steps, I will receive the SSL certificate, CA root and intermediate certificates in a zip file in my mail (e.g.

This zip file contains five files: AddTrustExternalCARoot.crt, ComodoUTNSGCCA.crt, EssentialSSLCA_2.crt, UTNAddTrustSGCCA.crt and my site’s certificate pranabtest_co_in.crt

We have to import all the files into our KeyStore:

First I will import the CA root certificate. If this command returns that this certificate is already exists, then select no

keytool -import -alias root -keystore serverkeystore.jks -trustcacerts -file AddTrustExternalCARoot.crt


Then I will import the three intermediate CA certificates

keytool -import -alias comodo -keystore serverkeystore.jks -trustcacerts -file ComodoUTNSGCCA.crt
Certificate was added to keystore

keytool -import -alias essential -keystore serverkeystore.jks -trustcacerts -file EssentialSSLCA_2.crt
Certificate was added to keystore

keytool -import -alias utn -keystore serverkeystore.jks -trustcacerts -file UTNAddTrustSGCCA.crt
Certificate was added to keystore

Finally I will import the SSL certificate for my site:

Here remember to keep the same name for the alias (as the private key alias we created with the KeyStore), otherwise the validation chain will not get completed.

keytool -import –alias -keystore serverkeystore.jks -trustcacerts –file pranabtest_co_in.crt
Certificate reply was installed in keystore

So our certificate installation is finished, now we have to tell Glassfish to use this certificate.

I changed the SSL settings for my 2nd http listener, in Certificate NickName enter the alias for our certificate (i.e. and also the Key Store name.




2 minutes break story:

Once I made a mistake, I imported my site’s certificate with a different alias. Say I created my private key with alias and imported my site’s certificate with alias pranabtest.public. I used the alias for my certificate pranabtest.public in Certificate NickName field of Glassfish HTTP listener’s SSL configuration. But I started getting the following error in my server.log

SSL support could not be configured! SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.


ProtocolChain exception java.lang.NullPointerException

The solution was to delete my site’s certificate from the KeyStore (i.e. delete pranabtest.public) and import it again (with alias

End of 2 minutes break story



Next I will stop the Glassfish domain, and take backup of the domain.xml file. Then replace all occurrence of s1as (certificate nickname) with which is the certificate alias and keystore.jks with my new KeyStore serverkeystore.jks in domain.xml file.

Start Glassfish and open the site using the secured port.


blog! said...


Thanks so much for this very informative post.

I'm still having SSL connection error on my
browser. H have re-imported the certificate several times.

When I refer to the default glassfish s1as certificate, I can access https with a warning but when I refer to the alias of the newly installed certificate, I get the SSL connection error.

I have checked that the keystore and certificate aliases match. I also installed all certificates into all available keystores.

One thing I would like to find out though is that the glassfish server doesn't require authentication, that is, it doesnt use any login details. Can that cause a problem?

The logs show no error. Any ideas please?

Thanks in advance.

Jimmy Johns said...

SSL Hosting GreenWebby delivers turnkey web hosting solutions that are tailored to your specific needs. Our deep experience as a hosting company, has helped us create scalable hosting solutions that promise exceptional performance and unmatched value. Our web hosting service is coupled with world-class technical support and powers more than 6 million websites worldwide.

Post a Comment