1. Create a Keystore:
Use the following command to create a keystore:
> keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystorename.jks -keysize 2048
Note: You will be prompted to enter keystore password when you run the above command. The password of the newly created keystore must match the Glassfish's master password, since the master password is used to access the certificate keystore. The default master password is “changeit” and can be changed with the help of the “change-master-password” sub-command. Afterwards, you will be prompted for the following:
Ensure the details filled in here correspond to those communicated to us at the point of purchasing,
What is your first and last name? = Your Domain Name (e.g. www.Sectigo.com)
What is the name of your organizational unit? = Your Department (e.g. IT)
What is the name of your organization? = Your Organization (e.g. Sectigo CA Ltd)
What is the name of your City or Locality? = Your City (e.g. Clifton)
What is the name of your State or Province? = Your State (e.g. New Jersey)
What is the two-letter country code for this unit? = Your Country Code (e.g. US)
When all these have been filled in, you will be shown the summary to confirm accuracy. Type y and press enter. You will then be prompted to enter the key password for your alias. Simply press enter to leave the key password the same as the keystore password.
2. Generate CSR using the Keystore:
Use the following command to generate a CSR,
> keytool -certreq -alias youralias -file yourcsrname.csr -keystore yourkeystorename.jks
Note: Make sure that you specify the same values as in the previous command for [youralias] and [yourkeystorename].
3. Submit the CSR to CA:
If you purchased the certificate directly from Sectigo, then please login to your account and upload the CSR contents on the required order.
4. Import the certificates into the keystore:
If you have received the certificate files from Sectigo, its time to import them into the keystore. You can use PEM-encoded or PKCS#7 or DER encoded .CER certificate files for importing into the keystore.
If you have received four certificate files ZIP, run the following commands.
> keytool -import -v -trustcacerts -alias root -file AAACertificateServices.crt -keystore yourkeystorename.jks
> keytool -import -v -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore yourkeystorename.jks
> keytool -import -v -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file SectigoRSADomainValidationSecureServerCA.crt -keystore yourkeystorename.jks
> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.crt -keystore yourkeystorename.jks
Note: Each certificate file needs to be imported with a unique alias value and the domain certificate’s alias must match the keystore alias.
> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.p7b -keystore yourkeystorename.jks
> keytool -import -alias youralias -trustcacerts -file your_domain_certificate.cer -keystore yourkeystorename.jks
Note: The above command only works on Java 7 and above
5. Importing the original keystore into the default keystore:
After the certificates are successfully imported into the keystore, we need to move the certificates and the corresponding private key into the Glassfish default keystore named “keystore.jks”. Usually this file is located in the glassfish4/glassfish/domains/domain1/config directory, although the path to this file may slightly vary depending on the Glassfish installation folder and operating system. The following keytool command should be used for importing one keystore into another:
> keytool -importkeystore -srckeystore yourkeystorename.jks -destkeystore keystore.jks
NOTE: Since the end-point keystore password and Glassfish master password must match, make sure that you have the same passwords for the source and destination keystore. If they are different, it is possible to change the Glassfish master password with the help of the “change-master-password” sub-command specifying the source keystore password. This action will update the destination keystore password as well.
6. Configure Http-listener-2:
On the Glassfish Admin console, go to Configurations -> Server Config -> http-listener-2 and:
8. VERIFY THE INSTALLATION:
Please use Qualys SSL Server Test tool to get a brief report of your server's security settings and certificate installation.