How to Install SSL Certificate on GlassFish Server

Introduction to GlassFish SSL Installation

GlassFish (now Eclipse GlassFish) is a robust, open-source Java EE application server used by enterprises worldwide for deploying Java-based web applications. Installing an SSL certificate on GlassFish secures your Java applications with HTTPS encryption, protecting sensitive data transmitted between your server and clients.

This comprehensive guide covers SSL certificate installation on GlassFish versions 4.x, 5.x, 6.x, and 7.x. We'll walk through every step from CSR generation using keytool or My-SSL CSR Generator, through certificate import, to configuring HTTPS listeners.

What you'll learn:

• Understanding GlassFish keystores (keystore.jks and cacerts.jks)
• Generating CSR using keytool or our online tools
• Converting certificates to PKCS12 format
• Importing certificates into GlassFish keystore
• Configuring HTTP listeners for SSL
• Troubleshooting common Java keystore errors

For a foundational understanding of SSL, see our guide on What is SSL and How SSL Works.

Prerequisites Checklist

Before starting the SSL installation, ensure you have:

• ✅ GlassFish Server installed - Version 4.x, 5.x, 6.x, or 7.x
• ✅ Administrative access - Access to Admin Console (port 4848) or asadmin CLI
• ✅ Java JDK installed - Required for keytool utility
• ✅ Domain pointed to server - DNS A record pointing to your server's IP address
• ✅ OpenSSL installed - For certificate format conversion
• ✅ SSL certificate files - Your certificate (.crt), private key (.key), and CA bundle
• ✅ Default keystore password - Usually "changeit" for GlassFish

Verify GlassFish installation:

# Check GlassFish version
asadmin version
# Output: GlassFish Server Open Source Edition 6.2.5

Locate GlassFish domain directory:

# Default location
cd $GLASSFISH_HOME/glassfish/domains/domain1/config/

Understanding GlassFish Keystores

GlassFish uses Java keystores to manage SSL certificates. Understanding these files is crucial for successful installation.

Keystore Files

Default Location

Keystores are located in:

$GLASSFISH_HOME/glassfish/domains/domain1/config/

Default Certificate Alias

GlassFish uses s1as as the default certificate alias for the server certificate. When importing your certificate, you'll replace this alias.

View existing certificates:

keytool -list -v -keystore keystore.jks -storepass changeit

Step 1: Generate a Certificate Signing Request (CSR)

You have two options for CSR generation: using our online tool or Java's keytool command.

Option A: Using My-SSL CSR Generator (Recommended)

The easiest method is using our free CSR Generator Tool:

1. Navigate to My-SSL CSR Generator
2. Enter your domain name (e.g., yourdomain.com)
3. Fill in organization details (name, city, state, country)
4. Add Subject Alternative Names (SANs) for additional domains if needed
5. Click Generate CSR
6. Save both the CSR and Private Key files securely

Important: Store your private key securely. You'll need it to create a PKCS12 file for import into GlassFish.

Option B: Using keytool Command Line

Generate a new key pair and CSR directly on your server:

# Navigate to GlassFish config directory
cd $GLASSFISH_HOME/glassfish/domains/domain1/config/

# Backup existing keystore
cp keystore.jks keystore.jks.backup

# Generate new key pair (replace existing s1as alias)
keytool -genkeypair \
  -alias s1as \
  -keyalg RSA \
  -keysize 2048 \
  -validity 365 \
  -keystore keystore.jks \
  -storepass changeit \
  -keypass changeit \
  -dname "CN=yourdomain.com, OU=IT, O=Your Company, L=City, ST=State, C=US"

Generate CSR from the key pair:

keytool -certreq \
  -alias s1as \
  -file yourdomain.csr \
  -keystore keystore.jks \
  -storepass changeit

Verify your CSR using our CSR Decoder to ensure all details are correct before submitting to a Certificate Authority.

Step 2: Order Your SSL Certificate

With your CSR ready, order an SSL certificate:

1. Choose the appropriate certificate type:

• DV SSL - Domain validation, fastest issuance
• OV SSL - Organization validation, business trust
• EV SSL - Extended validation, highest trust

1. Submit your CSR during the order process
2. Complete domain validation (email, DNS, or HTTP file)
3. Download your certificate files once issued

You'll typically receive:

• Primary certificate (yourdomain.crt)
• Intermediate/CA Bundle (ca-bundle.crt or intermediate.crt)
• Root certificate (optional, usually already trusted)

Learn more about SSL Certificate Types to choose the right option.

Step 3: Prepare Certificate Files

GlassFish requires certificates in PKCS12 format for import. This step combines your certificate, private key, and CA chain into a single file.

Method A: If You Used My-SSL CSR Generator

If you generated your CSR using our CSR Generator, you have a separate private key file:

Create PKCS12 file using OpenSSL:

# First, combine certificate with CA bundle
cat yourdomain.crt ca-bundle.crt > fullchain.crt

# Create PKCS12 file
openssl pkcs12 -export \
  -in fullchain.crt \
  -inkey private.key \
  -out yourdomain.p12 \
  -name s1as \
  -passout pass:changeit

Note: The -name s1as parameter sets the alias to match GlassFish's default.

Method B: If You Used keytool for CSR

If you generated the CSR using keytool, the private key is already in keystore.jks. You'll need to import the signed certificate.

Import root CA certificate:

keytool -import -trustcacerts \
  -alias root \
  -file root.crt \
  -keystore cacerts.jks \
  -storepass changeit

Import intermediate CA certificate:

keytool -import -trustcacerts \
  -alias intermediate \
  -file intermediate.crt \
  -keystore cacerts.jks \
  -storepass changeit

Import your signed certificate:

keytool -import -trustcacerts \
  -alias s1as \
  -file yourdomain.crt \
  -keystore keystore.jks \
  -storepass changeit

Use our Certificate Converter if you need to convert between certificate formats.

Step 4: Import Certificate into GlassFish Keystore

If you created a PKCS12 file (Method A above), import it into GlassFish's keystore.

Delete Existing Certificate

First, remove the existing self-signed certificate:

keytool -delete \
  -alias s1as \
  -keystore keystore.jks \
  -storepass changeit

Import PKCS12 into Keystore

keytool -importkeystore \
  -srckeystore yourdomain.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass changeit \
  -destkeystore keystore.jks \
  -deststoretype JKS \
  -deststorepass changeit \
  -destkeypass changeit \
  -srcalias s1as \
  -destalias s1as

Verify Certificate Import

keytool -list -v -keystore keystore.jks -storepass changeit -alias s1as

Expected output shows:

• Your domain in the Owner field
• Certificate chain with intermediate and root CAs
• Valid dates for the certificate

Step 5: Import CA Certificates into Truststore

For proper certificate chain validation, import CA certificates into cacerts.jks (truststore).

# Navigate to config directory
cd $GLASSFISH_HOME/glassfish/domains/domain1/config/

# Import Root CA
keytool -import -trustcacerts \
  -alias rootCA \
  -file root.crt \
  -keystore cacerts.jks \
  -storepass changeit

# Import Intermediate CA
keytool -import -trustcacerts \
  -alias intermediateCA \
  -file intermediate.crt \
  -keystore cacerts.jks \
  -storepass changeit

Verify CA certificates:

keytool -list -keystore cacerts.jks -storepass changeit | grep -i "your-ca-name"

Step 6: Configure GlassFish HTTP Listener for SSL

Configure GlassFish to use your SSL certificate for HTTPS connections.

Using GlassFish Admin Console (GUI)

1. Access Admin Console at http://your-server:4848
2. Navigate to Configurations → server-config → Network Config → Network Listeners
3. Click on http-listener-2 (default SSL listener)
4. In the SSL tab, verify:

• Certificate NickName: s1as
• SSL3: Disabled
• TLS: Enabled
• TLS 1.1, TLS 1.2, TLS 1.3: Enabled

1. Click Save

Using asadmin Command Line

Configure SSL listener using asadmin:

# Set certificate nickname
asadmin set server.network-config.network-listeners.network-listener.http-listener-2.ssl.cert-nickname=s1as

# Enable TLS protocols (disable SSL3)
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=true
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=true
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=true

Change SSL Port to 443 (Optional)

By default, GlassFish uses port 8181 for HTTPS. To use standard port 443:

# Change listener port to 443
asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443

Note: Running on port 443 requires root privileges or proper capabilities on Linux.

Step 7: Restart GlassFish and Verify

Restart GlassFish to apply all SSL configuration changes.

Restart GlassFish Domain

# Stop the domain
asadmin stop-domain domain1

# Start the domain
asadmin start-domain domain1

Verify SSL Installation

1. Browser test: Visit https://yourdomain.com:8181 (or port 443 if configured)
2. SSL Checker: Use our SSL Checker Tool to verify the complete certificate chain
3. OpenSSL test:

openssl s_client -connect yourdomain.com:8181 -servername yourdomain.com

Check for:

• Valid certificate chain
• Correct domain name
• Proper expiration date
• No SSL errors

Step 8: Configure HTTPS Redirect

Force all HTTP traffic to redirect to HTTPS.

Application-Level Redirect (web.xml)

Add security constraint to your application's WEB-INF/web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Server-Level Redirect

Configure redirect at the GlassFish level using asadmin:

# Enable redirect for http-listener-1
asadmin set server.network-config.network-listeners.network-listener.http-listener-1.redirect-port=8181

Installing Wildcard SSL on GlassFish

Wildcard certificates secure your main domain and all first-level subdomains.

Wildcard Certificate Considerations

• Wildcard certificate covers *.yourdomain.com and yourdomain.com
• Same installation process as standard certificates
• Single keystore entry serves all subdomains
• Configure virtual servers for different subdomain applications

Multi-Domain (SAN) Certificates

For multiple specific domains, use a SAN certificate:

# Verify SAN entries in certificate
openssl x509 -in yourdomain.crt -text -noout | grep -A1 "Subject Alternative Name"

Backup and Security Best Practices

Backup Your Keystore

Always maintain secure backups of your keystore:

# Create dated backup
cp keystore.jks keystore.jks.backup.$(date +%Y%m%d)

# Store in secure location
cp keystore.jks /secure/backup/location/

Secure Keystore Passwords

Change default passwords in production:

# Change keystore password
keytool -storepasswd -keystore keystore.jks

# Change key password
keytool -keypasswd -alias s1as -keystore keystore.jks

Update GlassFish with New Passwords

If you change passwords, update GlassFish configuration:

# Update master password
asadmin change-master-password

Common GlassFish SSL Errors & Troubleshooting

Error: "Certificate chain not found"

Cause: Intermediate certificates not imported into truststore.

Solution:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore cacerts.jks -storepass changeit

Error: "Keystore was tampered with, or password was incorrect"

Cause: Wrong keystore password.

Solution: Use the correct password (default is "changeit") or reset the keystore from backup.

Error: "Alias does not exist"

Cause: Certificate imported with different alias than configured in GlassFish.

Solution:

# List all aliases
keytool -list -keystore keystore.jks -storepass changeit

# Update GlassFish to use correct alias
asadmin set server.network-config.network-listeners.network-listener.http-listener-2.ssl.cert-nickname=your-alias

Error: "PKCS12 keystore not loaded correctly"

Cause: PKCS12 file created incorrectly or corrupted.

Solution: Recreate PKCS12 with proper chain order:

openssl pkcs12 -export -in fullchain.crt -inkey private.key -out new.p12 -name s1as

Error: "SSL handshake failed" or "Received fatal alert: handshake_failure"

Cause: TLS protocol mismatch or cipher suite incompatibility.

Solution: Ensure TLS 1.2/1.3 is enabled:

asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true

Error: "Private key and certificate don't match"

Cause: Certificate doesn't match the private key used for CSR.

Solution: Use our Key Matcher Tool to verify your private key matches the certificate.

Error: "Self-signed certificate in chain"

Cause: Using self-signed or incomplete certificate chain.

Solution: Ensure you're using a CA-signed certificate with proper chain imported.

Error: "Certificate has expired"

Cause: SSL certificate has passed its validity period.

Solution: Renew your certificate and reimport following this guide. Set up SSL expiry reminders to prevent future expirations.

Error: "Connection refused on port 443"

Cause: GlassFish not configured to listen on port 443 or firewall blocking.

Solution:

# Check listener port
asadmin get server.network-config.network-listeners.network-listener.http-listener-2.port

# Open firewall port
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

Error: "java.security.UnrecoverableKeyException"

Cause: Key password differs from keystore password.

Solution:

# Change key password to match keystore password
keytool -keypasswd -alias s1as -keystore keystore.jks -storepass changeit -keypass oldpass -new changeit

Let's Encrypt vs Purchased SSL for GlassFish

Recommendation: For production GlassFish deployments, purchased SSL certificates are recommended due to longer validity periods, warranty protection, and simpler management without automation complexity.

GlassFish SSL Installation Best Practices

1. Always backup keystores before making changes
2. Use strong passwords instead of default "changeit" in production
3. Monitor certificate expiration using our SSL Checker
4. Set up expiry reminders at SSL Checker page
5. Keep GlassFish updated to latest version for security patches
6. Disable older protocols (SSL3, TLS 1.0, TLS 1.1) for security
7. Document your configuration including aliases and passwords
8. Plan certificate renewal 30 days before expiration
9. Test thoroughly before production deployment
10. Use proper file permissions to protect keystore files