I recently had to carry out this task and while I got help from quite a number of resources (which I am going to make references to), I still found it useful to come up with this guide consisting of the final steps I carried out (after encountering several issues). I hope someone will find it useful some day. Feel free to ask questions, make corrections or add any other step that worked for you during your own installation in the comments section.
This guide assumes you have purchased an SSL certificate from a Certificate Authority (CA) (e.g. GoDaddy, Symantec, Comodo, etc.) or in the very least, have gotten in touch with one and have been asked to upload a Certificate Signing Request (CSR).
Before starting anything, please back up the files under the “$GFHOME/domains/yourdomain/config” folder. This very valuable tip comes in handy, if there is a need to revert to the initial domain settings. It was very useful to me, many thanks to Ali Ok.
1. CREATE DIRECTORY FOR THE KEYSTORE AND CSR
Open a command prompt and type the following:
Then cd to the newly created directory by typing the following command:
2. CREATE KEYSTORE
Use the following command to create a keystore:
keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048
You will be prompted to enter keystore password. The default password that comes with glassfish is changeit except you have changed yours. Afterwards, you will be prompted for the following:
Ensure the details filled in here correspond to those communicated to the CA at the point of purchasing
- What is your first and last name? = Your Domain Name (e.g. www.sitestars.net)
- What is the name of your organizational unit? = Your Department (e.g. IT)
- What is the name of your organization? = Your Organization (e.g. SiteStars Ltd)
- What is the name of your City or Locality? = Your City (e.g. Victoria Island)
- What is the name of your State or Province? = Your State (e.g. Lagos)
- What is the two-letter country code for this unit? = Your Country Code (e.g. NG)
When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter.
You will then be prompted to enter the key password for youralias. Press enter if you are using the default password.
3. GENERATE CSR
Use the following command to generate a CSR
keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks
Copy the content of your CSR and paste in the space your CA has provided.
4. IMPORT KEYSTORE TO GLASSFISH
keytool -importkeystore -srckeystore User Home/sslcert/trustbond.jks -destkeystore $GFHOME/domains/yourdomain/config/keystore.jks
5. IMPORT ROOT CERTIFICATE TO CACERTS.JKS AND KEYSTORE.JKS
keytool -import -v -trustcacerts -alias root -file crossRootCA.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias root –file crossRootCA.cer -keystore cacerts.jks
6. IMPORT INTERMEDIATE CERTIFICATE TO CACERTS.JKS AND KEYSTORE.JKS
keytool -import -v -trustcacerts -alias intermediate -file IntermediateCA.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias intermediate -file IntermediateCA.cer -keystore cacerts.jks
7. IMPORT MAIN CERTIFICATE TO CACERTS.JKS AND KEYSTORE.JKS (THE ALIAS SHOULD BE SAME AS THAT OF THE KEYSTORE)
keytool -import -alias youralias -trustcacerts -file ssl_certificate.cer –keystore keystore.jks
keytool -import -alias youralias -trustcacerts -file ssl_certificate.cer -keystore cacerts.jks
Notice the places where the same alias was used. Ensure same approach is maintained.
8. CONFIGURE HTTP-LISTENER-2
On the Glassfish Admin console, go to Configurations -> Server Config -> http-listener-2 and:
- Under the General tab, change the port from 8181 to 443
- Under the SSL tab, change the Certificate NickName from s1as to the alias of the main certificate (youralias) (which should be the same as the keystore alias)
9. REFERENCE INSTALLED CERTIFICATE IN THE DOMAIN.XML
Open the /config/domain.xml and replace all references of s1as with the alias of the installed certificate (youralias)
Other helpful sources: