Product Documentation

    Upon receiving the signed certificate from the CA, import the certificate into the keystore.

    • Make a backup of the existing keystore.jks before continuing.
       
      cp GLASSFISH_CONFIG/keystore.jks GLASSFISH_CONFIG/keystore-backup.jks
    • Verify that the externally signed certificate is correct before importing it into the keystore. The Subject Key Identifier extension should match the Subject Key Identifier extension of the original certificate that is to be replaced. The SubjectDN and any Subject Alternative Names should match what is expected.
       
      openssl x509 -text -in signedcertificate.pem

     

    In addition,the private key of the s1as certificate will need to be obtained from the keystore file.

    • Extract the s1as certificate and private key from keystore.jks into a PKCS12 keystore using keytool.
       
      keytool -importkeystore -srckeystore GLASSFISH_CONFIG/keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias s1as
    • Extract the private key out of the newly created PKCS12 keystore. The private key taken out of the PKCS12 keystore will be encrypted, which prevents it from being accessed by anyone without the password to it.
       
      openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem

     

    Once the externally signed certificate and the encrypted private key are obtained from the keystore, use openssl to combine them into a new PKCS12 keystore.

    • Create the new PKCS12 keystore. It will ask for the password to the encrypted private key. When prompted, input the export password for this new PKCS12 keystore. Make sure that the export password is the same as the password to the keystore.jks file. 
      openssl pkcs12 -export -out signedcertificate.p12 -in signedcertificate.pem  -inkey privatekey.pem -name s1as
    • Delete the privatekey.pem file.
       
      rm privatekey.pem

     

    Before importing this PKCS12 keystore, the old s1as certificate from keystore.jks must be removed to make space for the new one.

    • Delete the old s1as certificate.

      keytool -delete -alias s1as -keystore GLASSFISH_CONFIG/keystore.jks
    • Now import the externally signed certificate into keystore.jks.
       
      keytool -v -importkeystore -srckeystore signedcertificate.p12 -srcstoretype PKCS12 -destkeystore GLASSFISH_CONFIG/keystore.jks -deststoretype JKS
    • Restart the payara server and it should now be using the new certificate.
       
      sudo service glassfishd restart

     

    To test if the certificate is working, connect to your domain’s IP with port 8181.