Glassfish 3 and import signed SSL certificate issue

StackOverflow https://stackoverflow.com/questions/22203627

Question

I am trying to install a signed SSL certificate into Glassfish but I failed. Here is the list of steps

1. I used keytool to generate new key pair (alias domain1)

keytool -genkeypair -keyalg RSA -keystore glassfish/domains/domain1/config/keystore.jks -validity 1000 -alias domain1

2. Generate Certificate signing request (out - domain1.csr)

keytool -certreq -alias domain1 -file **domain1.csr** -keystore glassfish/domains/domain1/config/keystore.jks

3. I used OpenSSL to generate my own Root CA certificate

3.1. Generate root CA private key ( out - rootCA.key )

   openssl genrsa -out rootCA.key 1024

3.2. Creating certificate signing request (out - rootCA.csr )

   openssl req -new -key rootCA.key -out rootCA.csr

3.3. Self-sign rootCA.csr ( out - rootCA.crt )

   openssl x509 -req -days 3650 -in rootCA.csr -signkey rootCA.key -out rootCA.crt

4. Sign domain1.csr ( generated from step 2) - ( out - domain1.crt)

openssl x509 -req -days 500 -in domain1.csr -CA rootCA.crt -CAkey rootCA.key -out **domain1.crt** -CAcreateserial

5. I have 2 signed certificates

  • rootCA.crt
  • domain1.crt

6. I need to install rootCA.crt, domain1.crt into Glassfish v3

6.1. import rootCA.crt into /glassfish/domains/domain1/config/cacerts.jks with alias rootCA ( Successfully)

    keytool -import -v -trustcacerts -alias rootCA -file rootCA.crt -keystore cacerts.jks

6.2. import domain1.crt into /glassfish/domains/domain1/config/keystore.jks with alias domain1 ( FAILED)

    keytool -import -v -trustcacerts -alias domain1 -file domain1.crt -keystore keystore.jks

At step 6.2. I received the error message:

keytool error: java.lang.Exception: Failed to establish chain from reply

Anyone knows what steps I am missing when I import rootCA.crt and domain1.crt into Glassfish?

Since glassfish keystore.jks only stores Private keys so I am wondering that do I have to import self-signed rootCA.crt into keystore.jks?

Thank you so much!

Was it helpful?

Solution

I think that you are missing CA certificate in the keystore.jks. Try this after the step 6.1:

keytool -import -v -trustcacerts -alias rootCA -file rootCA.crt -keystore keystore.jks
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top