Installing GoDaddy SSL Certificates on Glassfish v3 Step by Step

Deniz

Introduction to Glassfish SSL

Newly created domains on glassfish has already a self signed certificate in DOMAIN_DIR/config/keystore.jks file. By default this keystore has default password of “changeit”. This certificate is named as s1as. To see this certificate you could issue following command:

keytool -list -keystore keystore.jks

When asked enter default password “changeit”. You will see a similar output to following:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

s1as, Dec 28, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): EA:56:23:46:7E:12:DA:6A:0D:8C:B9:12:11:0A:1A:8B

There should be a certificate with alias s1as. Since your glassfish will use this certificate by default, your domain.xml file in config folder of your domain will contain references to s1as from several places. We will change these references later.

I recommend you to change default password of keystore.jks. To change password use following command:

keytool  -sotrepasswd –keystore keystore.jks

When asked enter default password “changeit” and later enter new password for you keystore.jks. You should not forget this password. You will need this password for every operation you will perform on your keystore.jks file. Also you will be asked this password every time you start your domain. This password is called master password for your keystore.jks. Each entry in keystore.jks may have its own password, I recommend to make these passwords same with master password if possible.

There is another key file in glassfish’s domain folder named cacerts.jks. This file contains certificates from trusted authorities like godaddy, verisign etc. Certificates from this file is used to verify integrity of certificates you will purchase from certificate authorities. These certificates are called root certificates. But you may also import root certificates to keystore.jks too.

Purchasing Certificate and Installing Certificate

When you buy a certificate from a certificate authority (for example Godaddy) you have given a credit for certificate. You have to convert this credit to valid SSL certificate. To convert a credit to certificate you have to complete several step.

1) Check and correct Whois database entry for your domain:

Check your domain’s whois information and if they are not correct fix them. Especially your company name, and email address. GoDaddy will send an approval email to this email address.

2) Generate a certification request by using following steps:

Generate a new entry in keystore.jks with information of your domain.

keytool -keysize 2048 -genkey -alias www.yourdomain.com -keyalg RSA –dname "CN=www.domain.com,O=company,L=city,S=State,C=Country" -keystore keystore.jks

Enter password of you keystore when asked. GoDaddy requires at least 2048 bits keysize. CN is your sites domain name, O is your company name, L is the city, C is the 2 character country code. There are more options you could specify if you want. But these are enough. alias is the key you will use to refer this certificate. We will refer it from domain.xml.

Create the request file for submitting to Godaddy.

keytool –certreq –alias www.yourdomain.com –keystore keysore.jks –file cert_req.csr

Enter password of you keystore when asked.

cert_req.csr file will contains your certification request which you will submit to certificate authority. For GoDaddy you will open this file with a text editor and enter it to a text area as shown in following figure:

csr entry

You should include everything between and including followings.

—–BEGIN NEW CERTIFICATE REQUEST—–

—–END NEW CERTIFICATE REQUEST—–
After completing certification request submission. They will send an approval email to your email address shown on whois database.

3) Approve certification and import your certificates.

After approval you need to download a zip file which contains all certificates you need. During this step you will be asked for which server you are downloading certificates. You could select other because glassfish is not listed. Your download will contain 4 files:

  • gd_bundle.crt
  • gd_cross_intermediate.crt
  • gd_intermediate.crt
  • yourdomain.com.crt

First 3 of them are certificates belonging to godaddy.com. They are used to verify your domain’s certificate. They may already contained in your cacerts.jks but there is no harm importing them in your keystore.jks. Import these certificates to your keystore.jsk  using following steps:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file gd_bundle.crt

keytool -import -alias cross -keystore keystore.jks -trustcacerts -file gd_cross_intermediate.crt

keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file gd_intermed.crt

keytool -import -alias www.yourdomain.com -keystore keystore.jks -trustcacerts -file yourdomain.com.crt

If you are warned certificate already exist with a different alias choose yes to continue importing certificate.

As we have said at the beginning your domain’s domain.xml file contains references to s1as certificate. Open domain.xml with your editor of choice and replace every s1as with www.yourdomain.com and save it.

4) Test your setup

Start your domain using following command. You will be asked master password of your keystore.jks.

asadmin start-domain your_domain

Enter master password (3) attempt(s) remain)>Enter your master password here

Check your setup my navigating to https://www.yourdomain.com:ssl_port/. Your browser of choice will either warn you about invalid certificate, or you will see that it is verified by Godaddy.com. ssl_port is by default 8181, if you haven’t changed it yet from your domain.xml. If you change it to default 443, do not forget to configure your firewall to allow TCP over that port.

7 thoughts on “Installing GoDaddy SSL Certificates on Glassfish v3 Step by Step

  • Thanks for the tutorial. The certificate installation went OK, but I keep getting an “SSL connection error” when I attempt to access GlassFish on port 8181. Port is open in the firewall. All default settings used. Domain.xml file updated with domain name. Any ideas? Thanks!

  • Is there any more detailed error message in server.log file in the domain’s log folder.

  • No error messages, no. In the server log (/logs/server.log) I did notice that HTTP Listener 2 is being consistently created and that port 8181 is being bound similarly to HTTP Listener 1 (which works, but without SSL):

    Created HTTP listener http-listener-2 on host/port 0.0.0.0:8181
    Grizzly Framework 2.3.15 started in: 3ms – bound to [/0.0.0.0:8181]

    So while that looks good to me, SSL connections still failed immediately. However, today, I got it working.

    All I remember changing was

    deleting HTTP Listener 2 and recreating it using the command line tool asadmin. Also, I did ensure the response from keytool during

    certificate installation was “certificate reply installed” not just “certificate installed”. Here’s the command line commands I used for the recreation of HTTP listener 2:

    asadmin> delete-ssl –type http-listener http-listener-2

    asadmin> create-ssl –type http-listener –certname http-listener-2

    I found these commands in the guide: https://glassfish.java.net/docs/4.0/administration-guide.pdf

    Hope it helps! Took me days to get it working finally.
    Rob

  • I have a similar problem. I installed Glassfish 3.1.2.2 and added my certificates to server.keystore. I then went into Glassfish admin and for the listener set the nickname to apex and keystore to server.keystore. However, when I go to the web page via ssl, it states there is a problem with the certificate – I said to continue. When the next page comes up, it shows a certificate error. I click on the message and it shows a valid cert date of today through the next 10 years – no way. Where is this coming from. I did this by following the Glassfish v3.1.2 and SSL by the Java Dude weblog. Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *