How to Generate Certificate Signing Request on GLASSFISH Server

Newly created domains on glassfish has already a self signed certificate in DOMAIN_DIR/config/keystore.jks file. By default this keystore has default password of "changeit". This certificate is named as s1as. To see this certificate you could issue following command:

keytool -list -keystore keystore.jks

When asked enter default password "changeit". You will see a similar output to following:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

s1as, Dec 28, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): EA:56:23:46:7E:12:DA:6A:0D:8C:B9:12:11:0A:1A:8B

There should be a certificate with alias s1as. Since your glassfish will use this certificate by default, your domain.xml file in config folder of your domain will contain references to s1as from several places. We will change these references later.

It is recommended that you to change default password of keystore.jks. To change password use following command:

keytool -storepasswd -keystore keystore.jks

When asked enter default password "changeit" and later enter new password for you keystore.jks. You should not forget this password. You will need this password for every operation you will perform on your keystore.jks file. Also you will be asked this password every time you start your domain. This password is called master password for your keystore.jks. Each entry in keystore.jks may have its own password.

There is another key file in glassfish's domain folder named cacerts.jks. This file contains certificates from trusted authorities, etc. Certificates from this file is used to verify integrity of certificates you will purchase from certificate authorities. These certificates are called root certificates. But you may also import root certificates to keystore.jks too.
Purchasing Certificate and Installing Certificate

When you buy a certificate from a certificate authority You will need to be validated please make sure the steps have been taken prior to validation.

1) Check and correct Whois database entry for your domain:

Check your domain's whois information and if they are not correct fix them. Especially your company name, and email address. We will send DCV approval email to this email address.

2) Generate a certification request by using following steps:
Generate a new entry in keystore.jks with information of your domain.

keytool -keysize 2048 -genkey -alias mydomain.com -keyalg RSA –dname "CN=mydomain.com or www. ,O=company,L=city,S=State,C=Country" -keystore keystore.jks

Enter password of you keystore when asked. We require at least 2048 bits keysize. CN is your sites domain name, O is your company name, L is the city, C is the 2 character country code. There are more options you could specify if you want. But these are enough. alias is the key you will use to refer this certificate. We will refer it from domain.xml.
Create the request file for submitting to us.

keytool -certreq -alias mydomain.com -keystore keysore.jks -file cert_req.csr

Enter password of your keystore when asked.

cert_req.csr file will contains your certification request which you will submit to certificate authority.

CSR Entry

You should include everything between and including followings.

-----BEGIN NEW CERTIFICATE REQUEST-----

-----END NEW CERTIFICATE REQUEST-----