There are two files in glassfish
1, to wit:
- ./glassfish/domains/domain1/config/keystore.jks
- ./glassfish/domains/domain1/config/cacerts.jks
The way I read it, it means your private keys are stored in the keystore.jks, and the root certificates and intermediate certificates of Certificate Authorities (CA) are stored in cacerts.jks. When configured correctly, these two files should contain all the certificates needed to create a necessary
chain of trust.
Checking out the keystore, can be done using the following commandline:
keytool -list -v -keystore keystore.jks
The default keystore password is "changeit".
You get the following:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: glassfish-instance
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 43ce5f77
Valid from: Wed May 15 07:33:41 CEST 2013 until: Sat May 13 07:33:41 CEST 2023
Certificate fingerprints:
MD5: C0:FA:88:64:36:7A:1B:62:1B:F1:BD:8F:5A:7A:9A:E7
SHA1: B1:FA:A8:2B:7C:83:18:A8:9B:C6:46:50:41:EC:FC:7C:DF:69:B3:33
SHA256: 52:AB:1F:37:75:68:92:8F:3D:02:49:D7:3C:8E:BC:53:76:9B:68:E2:B8:83:AF:ED:4C:39:99:FE:45:F1:F1:67
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 50 2C 8F D9 A2 55 80 18 8F 3D 90 AC 77 28 C3 VP,...U...=..w(.
0010: FE A0 55 F6 ..U.
]
]
*******************************************
*******************************************
Alias name: s1as
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 4a9972f
Valid from: Wed May 15 07:33:38 CEST 2013 until: Sat May 13 07:33:38 CEST 2023
Certificate fingerprints:
MD5: 79:0D:FC:CF:99:32:2B:BE:77:36:40:4A:14:E1:2D:91
SHA1: 4A:57:58:F5:92:79:E8:2F:2A:91:3C:83:CA:65:8D:69:64:57:5A:72
SHA256: AB:48:B2:E6:C4:4C:50:86:7F:B3:70:30:83:F1:CE:E8:06:F4:B5:75:F0:E3:AD:5B:23:38:10:02:A8:85:F5:56
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 05 82 BD 8C 02 B8 05 00 04 14 0A FB 29 AA F7 L............)..
0010: 48 6C CB 86 Hl..
]
]
*******************************************
*******************************************
There's also a keystore that comes bundled with your java installation, usually it can be found somewhere in the security directory.
You can view all the certificates in there using:
keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.60-2.b27.el7_1.x86_64/jre/lib/security/cacerts
Backup your keystore.jks
Just a simple copy will do.
cp keystore.jks keystore.jks.backup
Delete the default self-signed certificate
keytool -delete -alias s1as -keystore keystore.jks -storepass
Generating a certificate request
This request we are about to generate, is submitted to the Certificate Signing Authority. See for more information chapter "To Sign a Certificate by Using keytool" in [1]. Using RSA, gives a default keysize of 2048.
[glassfish@vps386 config]$ keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity 365 -alias s1as
Enter keystore password:
What is your first and last name?
[Unknown]: www.hostname.org
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=www.hostname.org, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
[glassfish@vps386 config]$
The CSR (Certificate Signing Request) can then be generated into the file s1as.csr:
keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass changeit
Viewing the generated file should look something like the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
XMEgkqefRUGOwopicufCMEREvY4LF23dRN6d9LaqkmWnKWUiPFqaPDQYv2qPsbXdk2GKxni2nJne
SprQ1APylEUHpS9UXH61Y2Kr28tNHB9PS9ZcRhmIQHKAoNq4MCvHiu1JtuLBrYHOlWjJqIBR7Ngk
laiGkCRoDyTbjRsdeDRdL7MFZ3Gr7Nc2g6CNKCN6z83jbMp4pKnJ05Cx5motTuStsLhSxmAKf6us
1ADDirZFHCkIMFcAoEde5qHh0bFirHY6crlehSNfUSrvw5PY9f9uPmLplbFSY5KZOXO6bOAstxhh
SSGbTrTHiY7ojnobY38Vzcu0DAMF9UrY7akrXwGE4KqExA0hJtwKPy7CJuyumXntpNnmz7pc9U4K
iVBc4PNYB4srm6lCUuDwJAeoK7m38vHu1hkhP2m9XnG3Ii4UguW7Jc8sZiCAylR7xYWEXU8gEi8r
glpdQUIRFcOezICZOFzhriZUmRAtDcyAyOS0B14hCQWMa4pR5mCfAHUPtPTpWspd8P6kf0RjNfRJ
tPXJ5xpT9rZz55atyO1bO8i3lhOouwczVF17Kf2BrmZ5fnqk0sAZJuOE49q1dlVg0k7Yh7v1pwPC
n0n3h0gzEesCA0KcJ1jTkEbz6IULJUDBtmlYbdGVZegbO9TRts75OnYVWjbl1IxYM4wGnwA6UL46
0jEATrURG7cX3xRaUYfK3uyzBHpdpCzOlhppfVGfr56owkkxQqrS0qgr8tLn6eWKl51QZcdL7Db1
XpiLMzuFGVQa4oDaZIGbeAw87XmqvAN872DZiTtWy49Bm1MDZTsoIl42lN9CTu4FhttXDyADbXUy
0BvZJOaTEwALYpGMvYSbVseqqjuhcbae02t7vrzqjyYJMC4BNGO3pg0FZnBV5r3oyGiBH0utET7c
vDMqmyOEJ5DHs8ltQrhGmtyXcfseKXSILQXxAx5CJOX0nljXO7kZdtZTkcOwOMM=
-----END NEW CERTIFICATE REQUEST-----
Submit the CSR to a Certificate Authority
I did this using GoDaddy.Com. Most CAs have a web interface that provides this functionality.
Download the CA certificates and any intermediate CA certificates
This is where it gets a little problematic. I keep hearing that a lot of CAs do not provide all or the proper certificates in the download, and you are forced to check out their public repository for the right files.
Then there are all the possible formats in which the certificates can be stored.
Downloading the zip file from GoDaddy.com, gave me the following files:
- gd_bundle-g2-g1.crt
- the root and intermediate certificates of your CA
- b9683876305fc322.crt
- your private certificate that should be kept private
Check out the CA certificates
keytool -printcert -v -file gd_bundle-g2-g1.crt
Import the CA certificate and any intermediate CA certificates
keytool -import -v -trustcacerts -alias godaddy -file /home/glassfish/junk/gd_bundle-g2-g1.crt -keystore cacerts.jks -storepass changeit
Certificate was added to keystore
[Storing cacerts.jks]
Replace the original self-signed certificate with the certificate you obtained from the CA
keytool -import -v -trustcacerts -alias s1as -file /home/glassfish/junk/b9683876305fc322.crt -keystore keystore.jks -storepass changeit
Verify the certificate chain
Unfortunately, not providing all the required certificates, to build up the chain will cause an exception when adding your private key
4.
openssl s_client -connect www.karchan.org:4848
Shows the following Certificate chain:
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.karchan.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Another way to verify the chain, is by using Microsoft Windows:
In Linux, I find the Keystore-Explorer
5 to fulfill my needs:
References
- [1] GlassFish Server Open Source Edition Security Guide Release 4.0
- https://glassfish.java.net/docs/4.0/security-guide.pdf
- [2] GlassFish Server Open Source Edition Administration Guide Release 4.0
- https://glassfish.java.net/docs/4.0/administration-guide.pdf
- [3] Java Dude Blog - Glassfish V3.1.2 and SSL
- https://javadude.wordpress.com/2013/03/22/glassfish-v3-1-2-and-ssl//
- [4] StackOverflow - Keytool error java lang exception failed to establish chain from reply
- http://stackoverflow.com/questions/23611688/keytool-error-java-lang-exception-failed-to-establish-chain-from-reply
- [5] SourceForge - Keystore-Explorer
- http://keystore-explorer.sourceforge.net/