The GlassFish Server automatically creates a signed version of the required JAR file if none exists. When a Java Web Start request for the gf-client.jar file arrives, the GlassFish Server looks for domain-dir/java-web-start/gf-client.jar. When a request for an application's generated application client JAR file arrives, the GlassFish Server looks in the directory domain-dir/java-web-start/app-name for a file with the same name as the generated JAR file created during deployment.
In either case, if the requested signed JAR file is absent or older than its unsigned counterpart, the GlassFish Server creates a signed version of the JAR file automatically and deposits it in the relevant directory. Whether the GlassFish Server just signed the JAR file or not, it serves the file from the domain-dir/java-web-start directory tree in response to the Java Web Start request.
To sign these JAR files, the GlassFish Server uses its self-signed certificate. When you create a new domain, either by installing the GlassFish Server or by using the asadmin create-domain command, the GlassFish Server creates a self-signed certificate and adds it to the domain's key store.
A self-signed certificate is generally untrustworthy because no certification authority vouches for its authenticity. The automatic signing feature uses the same certificate to create all required signed JAR files. To sign different JAR files with different certificates, do the signing manually.