Oracle GlassFish Server 3.0.1 Administration Guide

Administering JSSE Certificates

In the developer profile, the GlassFish Server 3.0.1 uses the JSSE format on the server side to manage certificates and key stores. In all profiles, the client side (appclient or stand-alone) uses the JSSE format.

The J2SE SDK ships with the keytool utility, which enables you to set up and work with Java Secure Socket Extension (JSSE) digital certificates. You can administer public/private key pairs and associated certificates, and cache the public keys (in the form of certificates) of their communicating peers.

The following topics are addressed here:

ProcedureTo Generate a Certificate by Using keytool

By default, the keytool utility creates a keystore file in the directory where the utility is run.

Before You Begin

To run the keytool utility, your shell environment must be configured so that the J2SE /bin directory is in the path, otherwise the full path to the utility must be present on the command line.

  1. Change to the directory that contains the keystore and truststore files.

    Always generate the certificate in the directory containing the keystore and truststore files. The default is domain-dir/config.

  2. Generate the certificate in the keystore file, keystore.jks, using the following command format:


    keytool -genkey -alias keyAlias-keyalg RSA
     -keypass changeit
     -storepass changeit
    keystore keystore.jks

    Use any unique name as your keyAlias. If you have changed the keystore or private key password from the default (changeit), substitute the new password for changeit. The default key password alias is s1as.

    A prompt appears that asks for your name, organization, and other information.

  3. Export the generated certificate to the server.cer file (or client.cer if you prefer), using the following command format:


    keytool -export -alias keyAlias-storepass changeit
     -file server.cer
     -keystore keystore.jks
  4. If a certificate signed by a certificate authority is required, see To Sign a Certificate by Using keytool.

  5. Create the cacerts.jks truststore file and add the certificate to the truststore, using the following command format:


    keytool -import -v -trustcacerts
    -alias keyAlias
     -file server.cer
    -keystore cacerts.jks
     -keypass changeit

    If you have changed the keystore or private key password from the default (changeit), substitute the new password.

    Information about the certificate is displayed and a prompt appears asking if you want to trust the certificate.

  6. Type yes, then press Enter.

    Information similar to the following is displayed:


    Certificate was added to keystore
    [Saving cacerts.jks]
  7. To apply your changes, restart GlassFish Server. See To Restart a Domain.


Example 11–10 Creating a Self-Signed Certificate in a JKS Keystore by Using an RSA Key Algorithm

RSA is public-key encryption technology developed by RSA Data Security, Inc.


keytool  -genkey -noprompt -trustcacerts -keyalg RSA -alias ${cert.alias} 
-dname  ${dn.name} -keypass ${key.pass} -keystore ${keystore.file} 
-storepass ${keystore.pass}


Example 11–11 Creating a Self-Signed Certificate in a JKS Keystore by Using a Default Key Algorithm


keytool -genkey -noprompt -trustcacerts -alias ${cert.alias} -dname  
${dn.name} -keypass ${key.pass} -keystore ${keystore.file} -storepass 
${keystore.pass}


Example 11–12 Displaying Available Certificates From a JKS Keystore


keytool -list -v  -keystore ${keystore.file} -storepass ${keystore.pass}


Example 11–13 Displaying Certificate information From a JKS Keystore


keytool -list -v  -alias ${cert.alias} -keystore ${keystore.file} 
-storepass ${keystore.pass}

See Also

For more information about keytool, see the keytool reference page.

ProcedureTo Sign a Certificate by Using keytool

After creating a certificate, the owner must sign the certificate to prevent forgery. E-commerce sites, or those for which authentication of identity is important, can purchase a certificate from a well-known Certificate Authority (CA).


Note –

If authentication is not a concern, for example if private secure communications are all that is required, you can save the time and expense involved in obtaining a CA certificate by using a self-signed certificate.


  1. Follow the instructions on the CA's web site for generating certificate key pairs.

  2. Download the generated certificate key pair.

    Save the certificate in the directory containing the keystore and truststore files. The default is domain-dir/config.

  3. In your shell, change to the directory containing the certificate.

  4. Import the certificate into the local keystore and, if necessary, the local truststore using the following command format:


    keytool -import -v -trustcacerts
    -alias keyAlias
     -file server.cer
    -keystore cacerts.jks
     -keypass changeit
    -storepass changeit

    If the keystore or private key password is not the default password, then substitute the new password for the default (changeit).

  5. To apply your changes, restart GlassFish Server.

    See To Restart a Domain.


Example 11–14 Importing an RFC/Text-Formatted Certificate Into a JKS Keystore

Certificates are often stored using the printable encoding format defined by the Internet Request for Comments (RFC) 1421 standard instead of their binary encoding. This certificate format, also known as Base 64 encoding, facilitates exporting certificates to other applications by email or through some other mechanism.


keytool -import -noprompt -trustcacerts -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass}


Example 11–15 Exporting a Certificate From a JKS Keystore in PKCS7 Format

The reply format defined by the Public Key Cryptography Standards #7, Cryptographic Message Syntax Standard, includes the supporting certificate chain in addition to the issued certificate.


keytool -export -noprompt -alias ${cert.alias} -file ${cert.file} 
-keystore ${keystore.file} -storepass ${keystore.pass}


Example 11–16 Exporting a Certificate From a JKS Keystore in RFC/Text Format


keytool -export -noprompt -rfc -alias ${cert.alias} -file 
${cert.file} -keystore ${keystore.file} -storepass ${keystore.pass}

See Also

For more information about keytool, see the keytool reference page.

ProcedureTo Delete a Certificate by Using keytool

Use the keytool -delete command to delete an existing certificate.

  1. Delete a certificate using the following command format:

    keytool -delete
     -alias keyAlias
     -keystore keystore-name
     -storepass password
    

Example 11–17 Deleting a Certificate From a JKS Keystore


keytool -delete -noprompt -alias ${cert.alias}  -keystore ${keystore.file} 
-storepass ${keystore.pass}

See Also

For more information about keytool, see the keytool reference page.