Thursday, June 17, 2010

Create certificate using keytool on glassfish

Create certificate

Use keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run. You can find the keytool utility under the bin directory of java folder.
Note: - When you install Glassfish, it creates a default self-signed certificate as the server certificate. (localhost)

Step:- 1

Delete exiting certificate :-

Type the following command to delete the default self-signed certificate by issuing the following command.
keytool -delete -alias s1as -keystore keystore.jks -storepass

Generate self signed certificate

Steps 1:- Type the following command to create new certificate:
keytool -genkey -alias test

Fill all the information to create the certificate.

Enter keystore password: p@ssw0rd!
What is your first and last name?
[Unknown]: Chandra
what is the name of your organizational unit?
[Unknown]: Paxcel
what is the name of your organization?
[Unknown]: Paxcel
what is the name of your City or Locality?
[Unknown]: Gurgaon
What is the name of your State or Province?
[Unknown]: HR
What is the two-letter country code for this unit?
[Unknown]: IN
Is correct?
[no]: yes
Import certificate

A certificate can be imported into a keystore using keytool. Type the following command to import the certificate:-
keytool -storepass my-keystore-password(paxcel) -alias test -import -file test.cer

Generate expired certificate

Steps:

Default days is 7 and cant not be set 0 day. You need to specify at least 1 day to

create.
keytool -genkey -alias test –validity 1


Note: - To change the location of certificate files - admin console.
Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config.

Open the Glassfish admin console in the web browser.
Login into glassfish admin console (http://localhost:4848), Default uid and password:

admin and adminadmin

a) In the Admin Console tree, select the Application Server node.
b) Select JVM Settings.
c) Click the JVM Options tab.
d) On the JVM Options page, add or modify the following values in the Value

field to reflect the new location of the certificate files:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name

e) Where ks-name is the keystore file name and ts-name is the trust store file name.

f) Click Save.

g) Restart the Application Server if Restart Required displays in the console.

Install certificate in GlassFish server


Here are the instructions for enabling GlassFish v2 as an SSL server when the application server is configured with the developer profile.

1. Delete the default self-signed certificate by issuing the following command (note that the commands in this and subsequent steps are shown on multiple lines for formatting purposes):
keytool -delete -alias s1as -keystore keystore.jks -storepass
where is the password for the keystore, for example, "mypass". Note that s1as is the default alias of the GlassFish v2 keystore.

2. Generate a new key pair for the application server by issuing the following command:
keytool -genkeypair -keyalg
-keystore keystore.jks -validity -alias s1as

where is the algorithm to be used for generating the key pair, for example RSA, and is the number of days that the certificate should be considered valid, for example, 365.
Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias.

It's important to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don't match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should notice that the name of the default self-signed certificate matches the fully-qualified hostname.


3. Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias s1as -file
-keystore keystore.jks -storepass
where is the file in which the CSR is stored, for example, s1as.csr, and is the password for the keystore, for example, changeit.


4. keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass
When you import the certificate using the same original alias "s1as", keytool treats it as a command to replace the original certificate with the certificate obtained as reply to a CSR.
s1as (self-signed):
Owner: CN=chandra, OU=Paxcel, O=Paxcel Technologies, L=Gurgaon , ST=Haryana, C=IN
Issuer: CN=Chandra, OU=Paxcel Technologies, O=Paxcel Technologies
, L=Gurgaon, ST=Haryana, C=IN
Serial number: 472acd34
Valid from:

No comments:

Post a Comment