Installing an SSL Certificate on GlassFish (Java)
This guide explains step-by-step how to install an SSL certificate on a GlassFish server using the command line and the keytool utility included in the JDK.
Accessing the configuration folder
Open the command prompt (cmd) and navigate to the config folder of your GlassFish domain. Example:
cd glassfish4\glassfish\domains\domain1\config
1. Creating the key (first installation only)
If no key already exists in the keystore, create one using the following command:
keytool -genkey -alias aliasName -keyalg RSA -keysize 2048 -keystore keystore.jks -noprompt -v -dname "CN=domain,O=company,OU=owner,L=city,S=state,C=countryCode" -storepass changeit
Replace aliasName with a unique domain identifier, avoiding dots (e.g. examplecom).
2. Generating the CSR
Generate the Certificate Signing Request using the following command:
keytool -certreq -alias aliasName -file aliasName.csr -keystore keystore.jks -storepass changeit
Upload the CSR file to the Utixo control panel and choose a validation method (email or DNS).
3a. Importing certificates (separate CRT files)
If you received separate certificate files (root, intermediate, domain), proceed as follows:
Clean up existing certificates
keytool -delete -alias root -keystore keystore.jks -storepass changeit keytool -delete -alias intermed -keystore keystore.jks -storepass changeit keytool -delete -alias root -keystore cacerts.jks -storepass changeit keytool -delete -alias intermed -keystore cacerts.jks -storepass changeit
Import the certificates
keytool -import -trustcacerts -alias root -file AAACertificateServices.crt -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias intermed -file USERTrustRSAAAACA.crt -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file SectigoRSADomainValidationSecureServerCA.crt -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias aliasName -file aliasName.crt -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias root -file AAACertificateServices.crt -keystore cacerts.jks -storepass changeit keytool -import -trustcacerts -alias intermed -file USERTrustRSAAAACA.crt -keystore cacerts.jks -storepass changeit keytool -import -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file SectigoRSADomainValidationSecureServerCA.crt -keystore cacerts.jks -storepass changeit
3b. Importing certificates (CA Bundle or P7B)
If you received a .ca-bundle or .p7b file:
Clean up existing certificates
keytool -delete -alias cabundle -keystore keystore.jks -storepass changeit keytool -delete -alias cabundle -keystore cacerts.jks -storepass changeit
Import the bundle and domain certificate
keytool -import -trustcacerts -alias cabundle -file aliasName.ca-bundle -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias aliasName -file aliasName.crt -keystore keystore.jks -storepass changeit
or:
keytool -import -trustcacerts -alias aliasName -file aliasName.p7b -keystore keystore.jks -storepass changeit keytool -import -trustcacerts -alias cabundle -file aliasName.ca-bundle -keystore cacerts.jks -storepass changeit
4. Verifying the import
To verify that the certificate was correctly imported:
keytool -list -alias aliasName -keystore keystore.jks -storepass changeit
5. Associating the certificate in GlassFish
Access the GlassFish Admin Console and navigate to:
Configurations → server-config → HTTP Service → HTTP Listeners → http-listener-2 → SSL
Enter the value aliasName in the Certificate Alias field.
6. Restarting GlassFish
Restart the GlassFish server to apply changes and activate the new SSL certificate.
