CSR Generation and Certificate Installation: Glassfish 4.x

1. Create a Keystore:

Use the following command to create a keystore:

> keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048

Note: You will be prompted to enter keystore password when you run the above command. The password of the newly created keystore must match the Glassfish's master password, since the master password is used to access the certificate keystore. The default master password is “changeit” and can be changed with the help of the “change-master-password” sub-command. Afterwards, you will be prompted for the following:

Ensure the details filled in here correspond to those communicated to us at the point of purchasing,
What is your first and last name? = Your Domain Name (e.g. www.Sectigo.com)
What is the name of your organizational unit? = Your Department (e.g. IT)
What is the name of your organization? = Your Organization (e.g. Sectigo CA Ltd)
What is the name of your City or Locality? = Your City (e.g. Clifton)
What is the name of your State or Province? = Your State (e.g. New Jersey)
What is the two-letter country code for this unit? = Your Country Code (e.g. US)

Tip : Click here to view the list of Country Codes

When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter. You will then be prompted to enter the key password for your alias. Simply press enter to leave the key password the same as the keystore password.

2. Generate CSR using the Keystore:

Use the following command to generate a CSR,

> keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks

Note: Make sure that you specify the same values as in the previous command for [youralias] and [yourkeystorename].

3. Submit the CSR to CA:

If you purchased the certificate directly from Sectigo, then please login to your account and upload the CSR contents on the required order.

4. Import the certificates into the keystore:

If you have received the certificate files from Sectigo, its time to import them into the keystore. You can use PEM-encoded or PKCS#7 or DER encoded .CER certificate files for importing into the keystore.

  • PEM

If you have received four certificate files ZIP, run the following commands.

> keytool -import -v -trustcacerts -alias root -file AAACertificateServices.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore yourkeystorename.jks

> keytool -import -v -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file SectigoRSADomainValidationSecureServerCA.crt -keystore yourkeystorename.jks

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore yourkeystorename.jks

Note: Each certificate file needs to be imported with a unique alias value and the domain certificate’s alias must match the keystore alias.

  • PKCS#7

    You can install the the domain certificate (CRT) file on a (up to date) Windows machine and then export the p7b file.

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.p7b -keystore yourkeystorename.jks

  • DER Encoded .CER

> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.cer -keystore yourkeystorename.jks

Note: The above command only works on Java 7 and above

5. Importing the original keystore into the default keystore:

After the certificates are successfully imported into the keystore, we need to move the certificates and the corresponding private key into the Glassfish default keystore named “keystore.jks”. Usually this file is located in the glassfish4/glassfish/domains/domain1/config directory, although the path to this file may slightly vary depending on the Glassfish installation folder and operating system. The following keytool command should be used for importing one keystore into another:

> keytool -importkeystore -srckeystore yourkeystorename.jks -destkeystore keystore.jks

NOTE: Since the end-point keystore password and Glassfish master password must match, make sure that you have the same passwords for the source and destination keystore. If they are different, it is possible to change the Glassfish master password with the help of the “change-master-password” sub-command specifying the source keystore password. This action will update the destination keystore password as well.

6. Configure Http-listener-2:

On the Glassfish Admin console, go to Configurations -> Server Config -> http-listener-2 and:

  1. Under the General tab, change the port from 8181 to 443 ( unless you want to use a different port )
  2. Under the SSL tab, change the Certificate NickName from s1as to the alias of the main certificate (youralias) (which should be the same as the keystore alias)
  3. Save.


Please use Qualys SSL Server Test tool to get a brief report of your server's security settings and certificate installation.