users@glassfish.java.net

Re: Help installing SSL certificate from GoDaddy

From: Alex Sherwin <alex.sherwin_at_acadiasoft.com>
Date: Wed, 16 Dec 2009 16:52:46 -0500

Sebastian Choren wrote:
> Thank you man! but i already tried that, and didn't work for me. Maybe
> i'm doing something wrong?
> When I put the output file (keystore.ImportKey) in
> domain1/config/keystore.jks so glassfish would read it (that was a
> guess, i don't know if i should do that), when i tried to start
> glassfish it thhrowed an exception telling that the key password and
> keystroke password aren't the same, or something like that.
>
> Most likely i'm doing something wrong. If i just follow that howto,
> should it work? or i should do something else they asume i know?
>
> thank you
> Sebastián Choren
>
>
>
> On Wed, Dec 16, 2009 at 5:17 PM, Alex Sherwin
> <alex.sherwin_at_acadiasoft.com> wrote:
>
>> Sebastian Choren wrote:
>>
>>> Hi. I'm trying to install an SSL certificate I bought from GoDaddy.
>>> The thing is that i created the csr with openSSL instead of using
>>> keytool. Now, is there any way that i can import they key file in the
>>> Glassfish keystore?
>>>
>>> Thanks in advice
>>>
>>> Sebastián Choren
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>>
>>>
>>>
>> Yes, but you have to do a bit of leg work to get your private key used to
>> generate your CSR into a keystore:
>>
>> http://www.agentbob.info/agentbob/79-AB.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>
>
The high-level steps of what you really need to do are:

- Create a JKS keystore with the private key used to generate your CSR
(this JKS keystore MUST have the same master password as your domain, or
else glassfish wont be able to open it)
- Import the GoDaddy CA certificate chain they provided you (probably
gd_bundle) into the new JKS keystore from the previous step using
keytool, use the -trustcacerts option, and provide it an alias
(something like godaddyca)
- Import the GoDaddy CA certificate chain they provided you (probably
gd_bundle) into the JKS truststore (not keystore) of your domain, which
is [domain]/config/cacerts.jks, use the same alias as the previous step
- Import the signed certificate from GoDaddy into the (new) JKS keystore
using keytool, use the -trustcacerts option, give it a alias (like
www.mydomain.com)
- If your keystore is named keystore.jks (and want it to be named that),
replace the existing config/keystore.jks in your domain with the new
one. If you want to change the name, you can change the JVM options
used to start glassfish (there are two JVM options that specify the
trust store and key store files)
- In your domain.xml configuration, there are numerous references to the
alias of the certificate to use, the default is "s1as", you can
search/replace this alias in the domain.xml config with your new alias
"www.mydomain.com"

That should be it