The trusted CA certs should be in cacerts.jks of GlassFish and not keystore.jks. Only s1as needs to be in keystore.jks.
At the same time, please note that if a cert-chain was present in the Certificate Issued by VeriSign then you might be able use the following code to correctly replace the original "s1as" certificate with the one obtained from verisign while retaining the Private Key...
import java.io.*;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Collection;
public class Main {
public static void main(String[] args) throws Exception {
//args[] error checking logic omitted
//file containing signed cert reply from CA
String csrReplyFromCA = args[0];
//Path to GlassFish keystore.jks
String keystoreLocation = args[1];
//Password for GlassFish keystore.jks
String keystorePassword = args[2];
//The keyalias to be replaced : s1as in our example
String selfSignedKeyEntry = args[3];
//create the signed Cert
Collection<? extends Certificate> certs = null;
FileInputStream fis =
new FileInputStream(csrReplyFromCA);
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
certs = cf.generateCertificates(fis);
//now replace the original entry
char[] passwordChars =
keystorePassword.toCharArray();
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystoreLocation),
passwordChars);
Key key = keystore.getKey(selfSignedKeyEntry,
passwordChars);
Certificate[] certchain = certs.toArray(new Certificate[0]);
keystore.setKeyEntry(selfSignedKeyEntry, key,
passwordChars,certchain);
keystore.store(new FileOutputStream(
keystoreLocation), passwordChars);
}
}
See Also :
http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=274006