DEV Community

Cover image for CSR Generation on GlassFish
Eden Allen
Eden Allen

Posted on

CSR Generation on GlassFish

#webdev #security #tutorial #productivity

Prerequisites

To begin generating a CSR and setting up SSL on Glassfish, the following prerequisites must be met:

  • You must have Glassfish installed and running.
  • You must have the Java Development Kit (JDK) installed; the JDK includes the keytool.
  • You must have administrative privileges to the Glassfish domain directory.
  • You must have a Fully Qualified Domain Name (FQDN) for your website or web application.
  • You must have the appropriate permissions to make changes to the keystore.jks and domain.xml files.
  • You should have some familiarity with working from the command line.

Steps to Generate a CSR on GlassFish Server

Step 1: Review the Default Keystore

Newly created GlassFish domains already include a self-signed certificate in:

DOMAIN_DIR/config/keystore.jks

The default keystore password is changeit, and the default certificate alias is s1as.

To view existing certificates, run:

keytool -list -keystore keystore.jks

Enter the default password changeit when prompted.

You should see an entry similar to:

s1as, Dec 28, 2010, PrivateKeyEntry

GlassFish references this alias (s1as) in several places within the domain.xml file. These references can be updated later to point to your new certificate alias.

Step 2: Change the Default Keystore Password (Recommended)

For security reasons, it is strongly recommended to change the default keystore password.

Run:

keytool -storepasswd -keystore keystore.jks

When prompted:

  • Enter the old password: changeit
  • Enter and confirm a new strong password

This password becomes the master password for your keystore. You will be asked for it during every keystore operation and when starting your GlassFish domain. Store it securely.

Step 3: Generate a New Private Key Entry

Create a new private key entry in keystore.jks using your domain information:

keytool -keysize 2048 -genkey -alias mydomain.com -keyalg RSA -dname "CN=mydomain.com,O=Company,L=City,S=State,C=Country" -keystore keystore.jks

Notes:

  • Use a minimum key size of 2048 bits
  • Replace mydomain.com with your actual domain name
  • Replace the organization details with your real company information
  • The alias (mydomain.com) will be used later for CSR creation and certificate installation
  • Enter your keystore password when prompted

Step 4: Generate the CSR File

The steps to create a Certificate Signing Request (CSR) file using the alias that you created for the self-signed certificate:

To create the CSR, execute the following command:

keytool -certreq -alias mydomain.com -keystore keystore.jks -file cert_req.csr

You will be prompted to enter your keystore password. The cert_req.csr file contains the information necessary to create the CSR.

Step 5: Submit the CSR to a Certificate Authority

  • Open the cert_req.csr file in an editor such as Notepad or Vim.
  • Copy everything between the lines shown below:

—–BEGIN NEW CERTIFICATE REQUEST—–

—–END NEW CERTIFICATE REQUEST—–

  • Paste the copied CSR into the SSL Certificate order or validation form on the CA's website.

Depending on which type of certificate you ordered (DV, OV/BV, or EV), the time frame for receiving a certificate from the CA varies:

  • DV certificates typically take only a few minutes, whereas
  • OV or EV certificates may take several business days to receive.

Source

Top comments (0)