Make certificate
Use keytool to generate, import, and export certificates. By defaulting, keytool makes a keystore file in the directory where it is run. You can find the keytool utility under the bin directory of java folder.
Note: – When you install Glassfish, it makes a defaulting self-signed certificate as the server certificate. (localhost)
Step:- 1
Delete exiting certificate :-
Type the following command to delete the defaulting self-signed certificate by issuing the following command.
keytool -delete -alias s1as -keystore keystore.jks -storepass
Generate self signed certificate
Steps 1:- Type the following command to make new certificate:
keytool -genkey -alias test
Fill all the information to make the certificate.
Enter keystore password: p@ssw0rd!
What is your first and last name?
[Unknown]: Chandra
what is the name of your organizational unit?
[Unknown]: Paxcel
what is the name of your organization?
[Unknown]: Paxcel
what is the name of your City or Locality?
[Unknown]: Gurgaon
What is the name of your State or Province?
[Unknown]: HR
What is the two-letter country code for this unit?
[Unknown]: IN
Is right?
[no]: yes
Import certificate
A certificate can be imported into a keystore by keytool. Type the following command to import the certificate:-
keytool -storepass my-keystore-password(paxcel) -alias test -import -file test.cer
Generate expired certificate
Steps:
Defaulting days is 7 and cant not be set 0 day. You need to specify at least 1 day to
make.
keytool -genkey -alias test –validity 1
Note: – To exchange the location of certificate files – admin console.
Always generate the certificate in the directory containing the keystore and truststore files, by defaulting domain-dir/config.
Open the Glassfish admin console in the web browser.
Login into glassfish admin console (http://localhost:4848), Defaulting uid and password:
admin and adminadmin
a) In the Admin Console tree, select the Attention Server node.
b) Select JVM Settings.
c) Click the JVM Options tab.
d) On the JVM Options page, add or modify the following values in the Value
field to reflect the new location of the certificate files:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name
e) Where ks-name is the keystore file name and ts-name is the trust store file name.
f) Click Save.
g) Restart the Attention Server if Restart Required displays in the console.
Install certificate in GlassFish server
Here are the instructions for enabling GlassFish v2 as an SSL server when the attention server is configured with the developer profile.
1. Delete the defaulting self-signed certificate by issuing the following command (note that the orders in this and later steps are shown on multiple lines for formatting purposes):
keytool -delete -alias s1as -keystore keystore.jks -storepass
where is the password for the keystore, for example, “mypass”. Note that s1as is the defaulting alias of the GlassFish v2 keystore.
2. Generate a new key pair for the attention server by issuing the following command:
keytool -genkeypair -keyalg
-keystore keystore.jks -validity -alias s1as
where is the algorithm to be used for generating the key pair, for example RSA, and is the number of days that the certificate should be considered valid, for example, 365.
Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias.
It’s vital to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don’t match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should notice that the name of the defaulting self-signed certificate matches the fully-qualified hostname.
3. Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias s1as -file
-keystore keystore.jks -storepass
where is the file in which the CSR is stored, for example, s1as.csr, and is the password for the keystore, for example, changeit.
4. keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass
When you import the certificate by the same original alias “s1as”, keytool treats it as a command to replace the original certificate with the certificate obtained as answer to a CSR.
s1as (self-signed):
Owner: CN=chandra, OU=Paxcel, O=Paxcel Technologies, L=Gurgaon , ST=Haryana, C=IN
Issuer: CN=Chandra, OU=Paxcel Technologies, O=Paxcel Technologies
, L=Gurgaon, ST=Haryana, C=IN
Serial number: 472acd34
Valid from:
Check it out:System Engineer – IT Administration
Answers Rating