import ssl certificate in Glassfish

问题

i have the following issue:

I obtain a free certificate from comodo (90 days) for my glassfish web application and then i have imported the certs into glassfish 3.1 by following http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/

I have also modify the domain.xml file by replacing the alias s1as with my certificate alias and the file keystore.jks with the server.keystore....but when i try to access my web application with https protocol i got the following log error:

[#|2012-10-12T14:41:18.828+0200|WARNING|glassfish3.1.2|com.sun.grizzly.config.Gr izzlyServiceListener|_ThreadID=25;_ThreadName=http-thread-pool-443(1);|GRIZZLY00 07: SSL support could not be configured! java.io.IOException: SSL configuration is invalid due to No available certificat e or key corresponds to the SSL cipher suites which are enabled.

Please help me..i know that here i can find the solution to my issue...

回答1:

Unfortunately I don`t have enough reputation to post images of glassfish console admin, but let me try to help somebody just using text.

NOTE1: The configuration was done on Ubuntu 12.04 server and glassfish 3.1.2

Comodo gives you 4 files

• your_domain.key (your private key)
• your_domain.crt (your public key)
• PositiveSSLCA2.crt (CA public key)
• AddTrustExternalCARoot.crt (CA public key)

Import every public key into the file cacerts.jks. To do that merge the public key files in one file:

NOTE2: The order of the files DOES matter.

cat your_domain.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt  > all.crt

Now import them using keytool:

keytool -import -trustcacerts -alias tomcat -file all.crt -keystore cacerts.jks

Create a p12 file with your private key:

NOTE3: You can use the same password for every file to make things easier.

openssl pkcs12 -export -in all.crt -inkey your_domain.key -out your_domain.p12 - name your_alias -CAfile PositiveSSLCA2.crt -caname immed

NOTE4: Don`t forget you alias (your_alias), you will need to reference it in glassfish admin console later.

Now import the private key using keytool:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore your_domain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias your_alias

Now your keystore.jks (with your private keys) and your cacerts.jks (with you public key) are ready to me used. If you want to check if everything is ok run:

keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks

Go to the glassfish admin console and find the session:

• Configurations->server-config->HTTP Service->Http Listeners->http-listener-2

Go to the SSL tab and change the Certificate NickName to your_domain.

Restart Glassfish server.

回答2:

Preconditions:

• installed keytool and GlassFish 4.x (with default keystore password changeit)
• your source keystore used to generate CSR
  • e.g. ~/mySourceKeystore.jks with password myPassword and private key with alias myAlias
• your valid certificate (obtained from CA)
  • e.g. ~/myCertificate.crt with password myPassword and alias myAlias
• certificate of CA (obtained from CA)
  • e.g. ~/AwesomeCA.crt

Here are all steps how to import SSL certificate into GlassFish:

1. Navigate to GLASSFISH-HOME/domains/domain1/config

2. Import your source keystore (with private key) into GlassFish keystore:

   $ keytool -importkeystore -srckeystore ~/mySourceKeystore.jks -destkeystore keystore.jks`
   Enter destination keystore password: changeit
   Enter source keystore password: myPassword
   Entry for alias server successfully imported.
   Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
   

3. Import certificate of CA into GlassFish keystore:

   $ keytool -import -v -trustcacerts -alias AwesomeCA -file ~/AwesomeCA.crt -keystore keystore.jks
   Enter keystore password: changeit
   Certificate was added to keystore
   [Storing keystore.jks]
   

4. Import obtained SSL certificate into GlassFish keystore:

   $ keytool -import -v -trustcacerts -alias myAlias -file ~/myCertificate.crt -keystore keystore.jks
   Enter keystore password: changeit
   Enter key password for <myAlias>: myPassword
   Certificate reply was installed in keystore
   [Storing keystore.jks]
   

5. At this moment error java.security.UnrecoverableKeyException: Cannot recover key would occur during GlassFish startup because you have different keystore password and alias key password. To prevent this error you need to execute:

   $ keytool -keypasswd -alias myAlias -new changeit -keystore keystore.jks
   Enter keystore password: changeit
   Enter key password for <myAlias>: myPassword
   

6. Change default alias (s1as) in GlassFish to your myAlias:

   $ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=myAlias
   

7. (Optional) You can change default SSL port (8181) in GlassFish to well known 443:

   $ asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443
   

8. Restart GlassFish

回答3:

For Glassfish 4.x you can follow this Comodo Guide

Here is the web archive if link expires.

来源：https://stackoverflow.com/questions/12860289/import-ssl-certificate-in-glassfish