Posted by kalali
on March 1, 2010 at 1:03 AM PST
This blog shows steps to create a CSR (certificate signing request) send it to godaddy to get it signed and finally how to install it in GlassFish application server.
Here are steps showing you how to prepare and install a SSL certificate purchased from Godaddy into GlassFish v3 server. To learn more about Godaddy certificates and step to buy a certificate you need to take a look at http://www.godaddy.com/ssl/ssl-certificates.aspx?app_hdr= . After you understand what Godaddy offer and whether it suites your requirement you can use the following steps to get and install the certificate into GlassFish.
- Generate a keypair for your server using the following command. This command will generate a keypair and store it into a keystore of type JKS . later on we will submit the public key portion and other details provided during the key generation to a CA to sing it for us.
keytool -keysize 2048 -genkey -alias wwww.domain.com -keyalg RSA -dname "CN=wwww.domain.com,O=company,L=city,S=State,C=Countery" -keypass changeit -storepass changeit -keystore server.keystore
- You may check whether you entered correct information in the key generation phase by checking the key using the following command:
keytool -list -v -alias wwww.domain.com -keystore server.keystore
- Generate a CSR which you should submit to Godaddy to sing it for you. This CSR contains the public key which matchs the private key you generated previously.:
keytool -certreq -alias www.domain.com -keystore server.keystore -storepass changeit -keypass changeit -file server-2048.csr
Now, before you submit the CSR, make sure that you backed-up the server.keystore in a safe place because it contains your PK and if you lose it your certificate will be useless. Make sure that the file is in a safe place because if a malicious person gets his hands on it you will be in trouble unless you change your certificate. Using the PK included in that file anyone, with basic knowledge, can decrypt messages encrypted with your public key.
Now that you created a backup of the server.keystore and purchased your certificate from godaddy its time to import them into designated keystores. Note that godaddy will give you a certificate named something like domain.com.crt, you will need to download godaddy CA certificates from its repository located at https://certs.godaddy.com/repository/ . You will need to download the following ones:
Now place all of the following files into a $domain.dir and fire a terminal (cmd) and execute the following commands:
- Import the root certificate into the glassfish key store to make it possible for the secondary certificates to get validated. The keytool may tell you that the certificate already exists in the global ca cert store. If so, do not import this one:
keytool -import -alias root -keystore keystore.jks -trustcacerts -file valicert_class2_root.crt
- import secondary CA certificates into the keystore to make it possible for the server certificate signed by godaddy to validated and accepted.
keytool -import -alias cross -keystore keystore.jks -trustcacerts -file gd_cross_intermediate.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file gd_intermediate.crt
- import the server certificate into tke keystore. Make sure that the alias used for the certificate must be same as the alias used for the PK. otherwise the validation chain wont get completed and therefore the certificate won’t be imported into the keystore.
keytool -import -alias www.domain.com -keystore keystore.jks -trustcacerts -file shoptalkk.com.crt
The certificate installation is finished, the only left step is chaning the certificate nickname in your domain.xml file to the new alias name we used in the above commands.
- Make sure that the domain is stopped using asadmin stop-domain domain_name
- create a backup of the domain.xml
- Open domain.xml in a text editor like gedit, kate or wordpad and replace all occurrence of s1as with www.domain.com which is the certificate alias
- save the domain and start the domain in verbose mode using asadmin start-domain --verbose domain_name
- Open https://server:8181/ and see whether it works properly or not. if you use the exact https://domain.com:8181/ you should get no warning and the whole thing should work properly. If you use https://localhost:8181/ you will get a warning about a misused certificate. it will explain that the certiificate is issued for www.domain.com but it is installed on localhost....