Installing GoDaddy SSL Certificates on Glassfish v3 Step by Step

Introduction to Glassfish SSL

Newly created domains on glassfish has already a self signed certificate in DOMAIN_DIR/config/keystore.jks file. By default this keystore has default password of “changeit”. This certificate is named as s1as. To see this certificate you could issue following command:

keytool -list -keystore keystore.jks

When asked enter default password “changeit”. You will see a similar output to following:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

s1as, Dec 28, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): EA:56:23:46:7E:12:DA:6A:0D:8C:B9:12:11:0A:1A:8B

There should be a certificate with alias s1as. Since your glassfish will use this certificate by default, your domain.xml file in config folder of your domain will contain references to s1as from several places. We will change these references later.

I recommend you to change default password of keystore.jks. To change password use following command:

keytool  -sotrepasswd –keystore keystore.jks

When asked enter default password “changeit” and later enter new password for you keystore.jks. You should not forget this password. You will need this password for every operation you will perform on your keystore.jks file. Also you will be asked this password every time you start your domain. This password is called master password for your keystore.jks. Each entry in keystore.jks may have its own password, I recommend to make these passwords same with master password if possible.

There is another key file in glassfish’s domain folder named cacerts.jks. This file contains certificates from trusted authorities like godaddy, verisign etc. Certificates from this file is used to verify integrity of certificates you will purchase from certificate authorities. These certificates are called root certificates. But you may also import root certificates to keystore.jks too.

Purchasing Certificate and Installing Certificate

When you buy a certificate from a certificate authority (for example Godaddy) you have given a credit for certificate. You have to convert this credit to valid SSL certificate. To convert a credit to certificate you have to complete several step.

1) Check and correct Whois database entry for your domain:

Check your domain’s whois information and if they are not correct fix them. Especially your company name, and email address. GoDaddy will send an approval email to this email address.

2) Generate a certification request by using following steps:

Generate a new entry in keystore.jks with information of your domain.

keytool -keysize 2048 -genkey -alias www.yourdomain.com -keyalg RSA –dname "CN=www.domain.com,O=company,L=city,S=State,C=Country" -keystore keystore.jks

Enter password of you keystore when asked. GoDaddy requires at least 2048 bits keysize. CN is your sites domain name, O is your company name, L is the city, C is the 2 character country code. There are more options you could specify if you want. But these are enough. alias is the key you will use to refer this certificate. We will refer it from domain.xml.

Create the request file for submitting to Godaddy.

keytool –certreq –alias www.yourdomain.com –keystore keysore.jks –file cert_req.csr

Enter password of you keystore when asked.

cert_req.csr file will contains your certification request which you will submit to certificate authority. For GoDaddy you will open this file with a text editor and enter it to a text area as shown in following figure:

csr entry

You should include everything between and including followings.

—–BEGIN NEW CERTIFICATE REQUEST—–

—–END NEW CERTIFICATE REQUEST—–
After completing certification request submission. They will send an approval email to your email address shown on whois database.

3) Approve certification and import your certificates.

After approval you need to download a zip file which contains all certificates you need. During this step you will be asked for which server you are downloading certificates. You could select other because glassfish is not listed. Your download will contain 4 files:

  • gd_bundle.crt
  • gd_cross_intermediate.crt
  • gd_intermediate.crt
  • yourdomain.com.crt

First 3 of them are certificates belonging to godaddy.com. They are used to verify your domain’s certificate. They may already contained in your cacerts.jks but there is no harm importing them in your keystore.jks. Import these certificates to your keystore.jsk  using following steps:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file gd_bundle.crt

keytool -import -alias cross -keystore keystore.jks -trustcacerts -file gd_cross_intermediate.crt

keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file gd_intermed.crt

keytool -import -alias www.yourdomain.com -keystore keystore.jks -trustcacerts -file yourdomain.com.crt

If you are warned certificate already exist with a different alias choose yes to continue importing certificate.

As we have said at the beginning your domain’s domain.xml file contains references to s1as certificate. Open domain.xml with your editor of choice and replace every s1as with www.yourdomain.com and save it.

4) Test your setup

Start your domain using following command. You will be asked master password of your keystore.jks.

asadmin start-domain your_domain

Enter master password (3) attempt(s) remain)>Enter your master password here

Check your setup my navigating to https://www.yourdomain.com:ssl_port/. Your browser of choice will either warn you about invalid certificate, or you will see that it is verified by Godaddy.com. ssl_port is by default 8181, if you haven’t changed it yet from your domain.xml. If you change it to default 443, do not forget to configure your firewall to allow TCP over that port.

VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)