users@glassfish.java.net

Re: RE: Recreating s1as key entry and its role in the keystore

From: <glassfish_at_javadesktop.org>
Date: Wed, 05 Aug 2009 11:32:48 PDT

Here is what I would do...

Reinstall Glassfish, then the default keystore.jks and cacerts.jks keystores are automatically created for you.

I wouldn't try to recreate the cacerts.jks any other way, since it is loaded with a bunch of roots certs. Once you receive certs back from a CA, import the class and root certs directly into cacerts.jks.

Regarding your signed key/certificate pair (eg: myalias) that would go into keystore.jks, the easiest way I know is to generate a new keypair in the original keystore.jks, which would contain the s1as keypair. Do this as follows...

Assuming that JAVA_HOME is in the path, open the command prompt
1. cd into the \domains\domain1\config directory
2. type: keytool -genkey -alias myalias -keyalg rsa -keysize 1024 -validity 3650 -keystore keystore.jks -keypass changeit -storepass changeit
3. type: keytool -certreq -alias myalias -keystore keystore.jks -file c:\certreq.pem -keypass changeit -storepass changeit

Notes:
-- myalias is whatever you want to call your CA signed keypair.
-- use the contents of certreq.pem to send to the CA for signing.
-- when you get the signed cert back from the CA, save it in another .pem file, then import the root, class and signed cert back into the keystore.jks
-- import the root and class certs into cacerts.jks

Does this make sense?

There are many ways of accomplishing the same end result, but this should get you to where you have a signed keypair in keystore.jks (along with the default s1as).

You can then start Glassfish, goto the admin console and setup SSL using the default s1as cert nickname for http-listener-2. Restart Glassfish, then in your browser enter https:localhost:8181, you should get the SSL padlock, and you will see that it is protected by a self-signed cert.

If all is well, go back into the Glassfish admin console and change the cert nickname to myalias (or whatever you called your alias for the CA signed cert). Restart Glassfish, then in your browser enter https:localhost:8181, you should get the SSL padlock, and this time it should be protected by the CA signed cert.

Hope this helps.

Derek
[Message sent by forum member 'djsceats' (djsceats)]

http://forums.java.net/jive/thread.jspa?messageID=359050
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.