+++ /dev/null
-## How to add a valid SSL/TLS cert to Glassfish
-
-[[!toc]]
-
-## Introduction
-
-In this tutorial we will be reusing "star" or http://en.wikipedia.org/wiki/Wildcard_certificate in use by Apache on Glassfish.
-
-These are the names Apache uses:
-
-- SSLCertificateFile (server.crt) Server PEM-encoded X.509 Certificate file http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile
-- SSLCertificateKeyFile (server.key) Server PEM-encoded Private Key file http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatekeyfile
-- SSLCertificateChainFile (ca.crt) File of PEM-encoded Server CA Certificates http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatechainfile
-
-To be continued... for now, see http://aliok.wordpress.com/2011/06/04/using-your-ssl-certificate-on-glassfish-3/
-
-## List existing cert (self-signed)
-
- [root@dvn-vm2 cert]# cd glassfish3/glassfish/domains/domain1/config
- [root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit
-
- Keystore type: JKS
- Keystore provider: SUN
-
- Your keystore contains 2 entries
-
- glassfish-instance, Jul 11, 2012, PrivateKeyEntry,
- Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
- s1as, Jul 11, 2012, PrivateKeyEntry,
- Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
- [root@dvn-vm2 config]#
- [root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit -v
-
- Keystore type: JKS
- Keystore provider: SUN
-
- Your keystore contains 2 entries
-
- Alias name: glassfish-instance
- Creation date: Jul 11, 2012
- Entry type: PrivateKeyEntry
- Certificate chain length: 1
- Certificate[1]:
- Owner: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
- Issuer: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
- Serial number: 4ffdd33d
- Valid from: Wed Jul 11 15:25:49 EDT 2012 until: Sat Jul 09 15:25:49 EDT 2022
- Certificate fingerprints:
- MD5: BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
- SHA1: 58:D8:78:1F:B6:1C:48:FF:82:21:90:9D:FF:BE:35:50:6D:44:A3:BF
- Signature algorithm name: SHA1withRSA
- Version: 3
-
- Extensions:
-
- #1: ObjectId: 2.5.29.14 Criticality=false
- SubjectKeyIdentifier [
- KeyIdentifier [
- 0000: D4 AE 32 59 30 0B 68 0D D3 F5 10 AA 8C 11 99 01 ..2Y0.h.........
- 0010: A7 FB 95 E3 ....
- ]
- ]
-
-
-
- *******************************************
- *******************************************
-
-
- Alias name: s1as
- Creation date: Jul 11, 2012
- Entry type: PrivateKeyEntry
- Certificate chain length: 1
- Certificate[1]:
- Owner: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
- Issuer: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
- Serial number: 4ffdd33b
- Valid from: Wed Jul 11 15:25:47 EDT 2012 until: Sat Jul 09 15:25:47 EDT 2022
- Certificate fingerprints:
- MD5: 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
- SHA1: 36:47:8E:AB:37:81:49:36:EE:2A:BC:02:E9:4A:93:A9:34:9D:14:54
- Signature algorithm name: SHA1withRSA
- Version: 3
-
- Extensions:
-
- #1: ObjectId: 2.5.29.14 Criticality=false
- SubjectKeyIdentifier [
- KeyIdentifier [
- 0000: 73 C9 5A 7D D3 B1 FF C0 2E 24 E2 5A 50 67 5F 4A s.Z......$.ZPg_J
- 0010: E3 62 C6 7D .b..
- ]
- ]
-
-
-
- *******************************************
- *******************************************
-
-
- [root@dvn-vm2 config]#
-
-##
--- /dev/null
+## How to reuse a wildcard SSL/TLS cert from Apache on Glassfish
+
+[[!toc]]
+
+### Introduction
+
+In this tutorial we will be reusing a "star" or "wildcard" SSL/TSL certificate ( http://en.wikipedia.org/wiki/Wildcard_certificate ) from Apache on Glassfish.
+
+### Gather required files from Apache (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile)
+
+Before you can begin, you'll need to gather three files from your Apache server. To use the Apache terminology:
+
+- SSLCertificateFile (server.crt) Server PEM-encoded X.509 Certificate file http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile
+- SSLCertificateKeyFile (server.key) Server PEM-encoded Private Key file http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatekeyfile
+- SSLCertificateChainFile (ca.crt) File of PEM-encoded Server CA Certificates http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatechainfile
+
+In this tutorial, we're storing all these files in /tmp/certs but the key especially should be kept secure:
+
+ [root@dvn-vm2 config]# ls -1d /tmp/certs/*
+ /tmp/certs/ca.crt
+ /tmp/certs/server.crt
+ /tmp/certs/server.key
+
+### Navigate to the "config" directory of domain1 on Glassfish
+
+In my case, I installed Glassfish using glassfish-3.1.2.2.zip
+
+ [root@dvn-vm2 glassfish3]# cd glassfish/domains/domain1/config
+ [root@dvn-vm2 config]#
+
+Probably it's best to stop Glassfish at this point:
+
+ [root@dvn-vm2 config]# ../../../bin/asadmin stop-domain
+
+### List entries in keystore.jks
+
+As a sanity check, we first list the entries in the Glassfish keystore.jks before we make any changes to it.
+
+Now would be a good time to back it up. :)
+
+ [root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit
+
+ Keystore type: JKS
+ Keystore provider: SUN
+
+ Your keystore contains 2 entries
+
+ glassfish-instance, Jul 11, 2012, PrivateKeyEntry,
+ Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
+ s1as, Jul 11, 2012, PrivateKeyEntry,
+ Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
+ [root@dvn-vm2 config]#
+
+### Created intermediary pkcs12 keystore from SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile files
+
+This step and the one following comes primarily from http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863
+
+ [root@dvn-vm2 config]# openssl pkcs12 -export -in /tmp/certs/server.crt -inkey /tmp/certs/server.key -out /tmp/certs/server.p12 -name some-alias -CAfile /tmp/certs/ca.crt -caname root -password pass:some-password --chain
+ [root@dvn-vm2 config]#
+
+No output is expected since we supplied the openssl export password on the command line.
+
+We use `--chain` so that we see something other than 1 for "Certificate chain length" in the output `keytool -list` and to satisfy some browsers as described at http://i-cat.blogspot.com/2009/02/glassfish-and-intermediate-ssl.html
+
+### Import the pks12 keystore into Glassfish's keystore.jks
+
+Please not that we need the export password from above to import the pks12 keystore:
+
+ [root@dvn-vm2 config]# keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore /tmp/certs/server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias
+ [root@dvn-vm2 config]#
+
+### Note that a new entry has been added to keystore.jks
+
+We called the entry "some-alias" because that's what was used in the Stack Overflow post but we could have used anything.
+
+Use `-v` for verbose output, such as to see the certificate chain.
+
+ [root@dvn-vm2 config]# keytool -list -keystore keystore.jks -storepass changeit
+
+ Keystore type: JKS
+ Keystore provider: SUN
+
+ Your keystore contains 3 entries
+
+ some-alias, Nov 4, 2013, PrivateKeyEntry,
+ Certificate fingerprint (MD5): 8B:C7:89:D0:F4:F8:1C:F6:10:EC:B6:2C:D8:5D:4B:F4
+ glassfish-instance, Jul 11, 2012, PrivateKeyEntry,
+ Certificate fingerprint (MD5): BE:DE:57:FF:BC:E2:32:AA:85:4C:4C:BD:6F:BC:EC:DE
+ s1as, Jul 11, 2012, PrivateKeyEntry,
+ Certificate fingerprint (MD5): 52:BC:A6:6D:31:15:8E:6F:64:AA:14:E7:20:29:B1:AA
+ [root@dvn-vm2 config]#
+
+### Reconfigure Glassfish to use the new certificate
+
+Search and replace "s1as" with the name of your alias (i.e. "some-alias") in domain.xml. Here is an example change.
+
+ [root@dvn-vm2 config]# diff domain.xml.self-signed domain.xml | head -4
+ 82c82
+ < <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" />
+ ---
+ > <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="some-alias" />
+ [root@dvn-vm2 config]#
+
+### Start Glassfish and verify the cert in your browser
+
+ [root@dvn-vm2 config]# ../../../bin/asadmin start-domain
projects / wiki.git / commitdiff