(1) As a first step are you able to revert the changes and bring your glassfish to working state (with the current certs that are about to expire). Please do that first.
(2) The error you are seeing simply means either the keystore password of new.jks or the keypassword for the key inside new.jks does not match the glassfish master-password. There is no other black magic.
So if you are successful in step (1) then when creating new.jks make sure you use the master-password while creating new.jks and no other password should be used. Also make sure the alias that you are using inside new.jks is what is expected in domain.xml (the default is s1as)
If you wish to try it again can you please try using the instructions in GlassFIsh 3.1 Security Guide :
http://download.oracle.com/docs/cd/E18930_01/html/821-2435/ablqz.html#scrolltoc
Specifically look at : To Sign a Certificate by Using keytool
On 02-Sep-2011, at 8:49 PM, xkaliburx wrote:
>
> Forgot about this usergroup, the java.net forums are either 503'ing, slow,
> can't login, etc. But heres the deal. I have 3 glassfish 2 servers with
> an SSL cert that will expire in a week so I have a little time to play.
>
> I have followed the doc's on howto generate a new keystore, csr request,
> etc. and now I am stuck. I have the old keystore.jks file running fine and
> a new file (new.jks). I have imported the root, intermediate and cert into
> the new.jks, then told the domain.xml file to use that and it bombs with the
> following;
>
> Caused by: java.lang.IllegalStateException:
> java.security.UnrecoverableKeyException: Cannot recover key
> at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
>
> I can test to make sure the cert is in using the keytool;
> keytool -list -v -keystore new.jks -alias myalias and get the info (this is
> just the top);
>
> Owner: CN=api.mydomain.com, OU=Domain Control Validated - RapidSSL(R),
> OU=See www.rapidssl.com/resources/cps (c)11, OU=GT06273877,
> O=api.mydomain.com, C=US, SERIALNUMBER=uqovQ4SFeb-FcCu5KrGxbRef3IomKkVc
> Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
> Serial number: 2fea8
> Valid from: Tue Aug 30 22:56:35 EDT 2011 until: Fri Nov 01 03:05:11 EDT 2013
>
> I dont think the original PW was ever changed, so I made the pass on this
> new.jks file the same. I am looking around and reading while I wait for a
> reply, but I am not sure if I can simply import the new .cert file into the
> existing one. When playing I got a root already exists, do deleted that
> alias, imported, etc. but that went down a road of errors, so I am wondering
> if it's simply best to use the new.jks file I made, with the new cert, etc.
> and just get GF to play nice.
>
> Also I assume once this is fixed, I can copy the file over along with
> whatever change I make to get it to work to the other servers.
>
> Please let me know if I need to provide any other details, commands, etc. as
> this is a bit timely.
>
> Thanks
> --
> View this message in context: http://old.nabble.com/renewing-an-expiring-SSL-cert-tp32387442p32387442.html
> Sent from the java.net - glassfish users mailing list archive at Nabble.com.
>