bg-tutorials

How to Generate a CSR on GlassFish

This tutorial shows you how to generate a CSR (Certificate Signing Request) for GlassFish (now Eclipse GlassFish) using the Java keytool utility.

GlassFish is unusual in one helpful way: a fresh install already ships with a keystore (keystore.p12 on Eclipse GlassFish 7.1 and newer, or keystore.jks on older builds) and a default certificate entry under the alias s1as. You can generate the CSR directly from that existing key, or replace it with a fresh key under the same alias. Either way, the same alias is reused when you import the signed certificate, so the key, the CSR, and the issued certificate all live in one place.

What you will need

  • A working GlassFish (or Eclipse GlassFish) installation. The default keystore lives in the domain’s config directory, for example glassfish/domains/domain1/config/keystore.p12 on Eclipse GlassFish 7.1 and newer, or keystore.jks on older builds.
  • A Java installation so the keytool command is available. GlassFish ships with a JDK, so keytool is normally already on the path. Confirm with keytool -help.
  • Shell or terminal access on the GlassFish server. The private key must stay on this server.
  • The exact fully qualified domain name (FQDN) you want to secure, for example www.yourdomain.com, plus any extra hostnames for the SAN field.
  • Your organization’s legal details (country, state, locality, organization name) for the CSR’s Distinguished Name.
  • The GlassFish master password for the domain. The factory default is changeit; change it on production systems with asadmin change-master-password.

Two ways to generate the CSR

If you already generated your CSR, skip ahead to submit the CSR and then to install your SSL certificate on GlassFish.

There are two common keytool flows on GlassFish. Pick the one that matches your situation:

  • Option A: Generate the CSR from the existing s1as key (recommended). A new GlassFish domain already has a private key under the alias s1as inside the default keystore (keystore.p12 on 7.1+, keystore.jks on older). The fastest, lowest-risk path is to leave that key in place and just export a CSR from it. Jump to Option A.
  • Option B: Replace the default s1as key with a fresh key, then generate the CSR. Use this if you want a known, current key size and DN, or if you suspect the default key has been used or exposed. Jump to Option B.

Whichever option you pick, the alias must stay s1as (or, if you change it, you must also update domain.xml to match). GlassFish’s HTTPS listener looks up the certificate by alias, so a mismatched alias means GlassFish cannot find the key and TLS will not start.

Option A: Generate the CSR from the existing s1as key

Step 1: Switch to the GlassFish config directory

Open a terminal and change to the directory that holds the keystore for your domain. On a default install, that is the config folder of domain1:

cd /opt/glassfish7/glassfish/domains/domain1/config

Adjust the path to match where you installed GlassFish (older GlassFish 4 builds nest the install under a glassfish4/ top folder; Eclipse GlassFish 6, 7, and 8 typically install under glassfish7/, glassfish8/, or similar). If you created your own domain, swap domain1 for that domain’s name. Run ls *.p12 *.jks in this directory to confirm the keystore filename: on Eclipse GlassFish 7.1 and newer you will see keystore.p12; on older builds you will see keystore.jks. Substitute that filename wherever the commands below show keystore.jks.

Step 2: Confirm the s1as entry exists

List the keystore contents and check that s1as is present and is a PrivateKeyEntry:

keytool -list -v -keystore keystore.jks -alias s1as

Enter the keystore password (factory default changeit; on a production server it should match your domain master password). The output should include the line Entry type: PrivateKeyEntry. If you instead get the message Alias <s1as> does not exist, switch to Option B and create a fresh entry.

Step 3: Export the CSR with SAN

Modern browsers and TLS clients validate certificates against the Subject Alternative Name (SAN) extension, not against the Common Name alone. Request the SANs directly in the CSR so the CA includes them in the issued certificate:

keytool -certreq \
  -alias s1as \
  -keystore keystore.jks \
  -file glassfish.csr \
  -ext san=dns:yourdomain.com,dns:www.yourdomain.com

What the flags mean:

  • -alias s1as: the existing GlassFish certificate alias. The private key under this alias signs the request.
  • -keystore keystore.jks: the default GlassFish keystore file. Eclipse GlassFish 7.1 and newer ship a PKCS12 keystore named keystore.p12; older builds use a JKS keystore named keystore.jks. Use whichever filename actually exists in this directory. The command itself is the same either way; keytool detects the format.
  • -file glassfish.csr: the output filename for the CSR. Pick any name you like.
  • -ext san=dns:…: the Subject Alternative Name extension. List every hostname the certificate must cover, including both the bare apex (yourdomain.com) and the www subdomain. Add more entries comma-separated, for example dns:api.yourdomain.com.

keytool prompts for the keystore password and writes the CSR to glassfish.csr in the current directory. The Subject (Distinguished Name) of the CSR is taken from whatever is stored in the s1as entry; on a fresh GlassFish install that is the auto-generated self-signed certificate, so the DN will not match your company. Most CAs only verify the Common Name and SAN list and let you override the rest of the DN in the order form, but if you need a CSR whose DN already carries your legal company details, use Option B.

Option B: Replace the default s1as key with a fresh one

Use this option when you want full control of the key size and DN, or when you would rather not reuse the factory-generated key. The flow is: delete the default s1as entry, create a new key under the same alias, then export the CSR. Keeping the alias as s1as means you do not have to touch domain.xml afterwards.

Step 1: Back up the keystore

Before you delete anything, copy the current keystore so you can roll back if needed. From the domain’s config directory:

cp keystore.jks keystore.jks.bak

Step 2: Delete the default s1as entry

keytool -delete -alias s1as -keystore keystore.jks

Enter the keystore password when prompted.

Step 3: Create a new private key under the same alias

Generate a fresh 2048-bit RSA key under the alias s1as and supply the DN inline so the command is non-interactive:

keytool -genkeypair \
  -alias s1as \
  -keyalg RSA -keysize 2048 \
  -keystore keystore.jks \
  -dname "CN=www.yourdomain.com, O=Your Company LLC, L=San Jose, ST=California, C=US" \
  -validity 825

What the flags mean:

  • -alias s1as: reuses the default GlassFish alias so domain.xml needs no changes.
  • -keyalg RSA -keysize 2048: a 2048-bit RSA key is the current public minimum. For new keys you plan to keep for several years, 3072 bits is a reasonable upgrade. Most public CAs also accept ECDSA (-keyalg EC -groupname secp256r1) for a smaller, faster key.
  • -keystore keystore.jks: the default GlassFish keystore. Substitute keystore.p12 on Eclipse GlassFish 7.1 and newer. keytool keeps the existing keystore format (JKS on older installs, PKCS12 on 7.1+); both are fine here.
  • -dname “CN=…”: the Distinguished Name fields written into the CSR. Use your exact, legal company details:
  • CN: the exact FQDN you are securing, for example www.yourdomain.com, or a wildcard such as *.yourdomain.com. Do not enter a person’s name, despite keytool’s prompt wording in the interactive mode.
  • O: the full legal name of your company.
  • L: the full city name (do not abbreviate).
  • ST: the full state or province name (do not use a two-letter code).
  • C: the two-letter ISO country code, for example US, GB, DE.
  • OU (Organizational Unit): this field is no longer issued by public CAs. Leave it out of the DN.

keytool prompts for the keystore password and the key password. On a GlassFish domain, the keystore password, the key password, and the domain master password must all match, otherwise GlassFish cannot unlock the key at startup and HTTPS will fail. Press Enter at the key-password prompt to reuse the keystore password.

Step 4: Export the CSR with SAN

Same command as Option A, run against your new key:

keytool -certreq \
  -alias s1as \
  -keystore keystore.jks \
  -file glassfish.csr \
  -ext san=dns:yourdomain.com,dns:www.yourdomain.com

Enter the keystore password. keytool writes the CSR to glassfish.csr in the current directory.

Critical: keep the alias as s1as

The single most common keytool mistake on GlassFish is changing the alias somewhere along the way, either when generating the key or when importing the signed certificate. Two failure modes show up:

  • Wrong alias on the key. GlassFish’s HTTPS listener is wired to s1as in domain.xml. If you generate a key under a different alias, GlassFish cannot find it and the listener falls back to the default self-signed certificate (or fails to start). If you really want a different alias, you must update every s1as reference in domain.xml to match.
  • Wrong alias on the import. When the CA returns your signed certificate, you must import it back into the same alias that holds the private key. Importing under a brand-new alias stores the certificate as a standalone trusted entry with no private key attached, and TLS will not work.

Note these three values before you close the terminal:

  • The alias (default s1as; keep it).
  • The keystore file path, for example glassfish/domains/domain1/config/keystore.p12 (or keystore.jks on older builds).
  • The keystore password (which must equal the domain master password).

Verify the CSR before you submit it

Catch typos in the DN or missing SANs before the CA validates them. Print the CSR with keytool:

keytool -printcertreq -file glassfish.csr

Or, if OpenSSL is installed, use it instead:

openssl req -noout -text -in glassfish.csr

Confirm three things in the output: the Subject shows your exact DN, the Subject Alternative Name lists every hostname you need, and the Public-Key size matches what you asked for (2048-bit RSA, or whatever you chose). You can also paste the CSR into our CSR Decoder for the same check in a browser.

Submit the CSR to your Certificate Authority

Open glassfish.csr in any text editor. The file is plain text, starting with —–BEGIN CERTIFICATE REQUEST—– and ending with —–END CERTIFICATE REQUEST—–. Copy the entire block, including those header and footer lines, and paste it into the CSR field during checkout with your CA. On Windows, use Ctrl + A then Ctrl + C to grab the full text; on macOS, use Cmd + A then Cmd + C.

After the CA validates your request and issues the certificate, continue with how to install your SSL certificate on GlassFish. You will import the CA chain as trusted, then import the signed certificate back into the s1as alias in the same keystore file (keystore.p12 on 7.1+, keystore.jks on older builds), and finally point the HTTPS listener at that alias.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.