bg-tutorials

How to Install an SSL Certificate on GlassFish

In this tutorial, you will learn how to install an SSL certificate on GlassFish (now Eclipse GlassFish) using the Java keytool utility and the asadmin command line.

Generate a CSR code for GlassFish

The first step when ordering an SSL certificate is to create a CSR (Certificate Signing Request) and send it to your Certificate Authority (your SSL provider). The CSR is a block of text containing details about your website and organization. The CA uses it to verify your identity, so if the CSR contains incorrect or outdated information, the CA will not sign your certificate.

On GlassFish, the CSR is generated with keytool from a Java keystore, and that same keystore holds the private key you will reuse during installation. You have two options:

You can open your CSR file with any text editor (for example, Notepad). Before sending it to your CA, we recommend a final check for typos or errors. Use our CSR decoder tool to inspect it.

Depending on your certificate’s validation type, issuance takes anywhere from a few minutes to a couple of business days. Once the SSL files arrive in your inbox, continue with the installation below.

Install an SSL certificate on GlassFish

The key idea behind a GlassFish installation is that your signed certificate must end up attached to the private key created with your CSR. You do this by importing the certificate chain and the signed certificate into the keystore that already contains that key, the same one you used to generate the CSR.

Step 1: Extract your certificate files

Your CA emails the certificate to the address you provided, usually as a ZIP archive. Extract it. The files arrive in one of two formats:

  • PEM: separate files, typically a .crt (your server certificate) and a .ca-bundle (the root and intermediate certificates).
  • PKCS#7: a single .p7b (or .cer) file that already bundles your certificate together with the full chain.

Step 2: Upload the SSL files to your GlassFish server

Upload the extracted files to the server, into the same directory as the keystore you generated your CSR from (referred to below as mykeystore.jks). PEM format requires two import commands; PKCS#7 needs just one. Pick the format that matches your files.

PEM format. Import the CA bundle first so keytool can build a complete trust chain, then import your server certificate. Import the CA bundle with:

keytool -import -trustcacerts -alias ca -file file.ca-bundle -keystore mykeystore.jks

Use any name you like for this chain entry’s alias (here, ca), as long as it differs from your private-key alias. Next, import your signed server certificate into the existing private-key alias, the alias you used when generating the CSR:

keytool -import -trustcacerts -alias myalias -file file.crt -keystore mykeystore.jks

Here, myalias must be the alias that already holds your private key. Because that alias has a key, keytool treats this import as a certificate reply and binds the signed certificate to the key. This is the step that makes HTTPS work; see the warning below.

PKCS#7 format. A .p7b already contains the full chain, so a single command imports everything at once, again into the private-key alias:

keytool -import -trustcacerts -alias myalias -file file.p7b -keystore mykeystore.jks

keytool prompts for your keystore password. As above, myalias must match your existing private-key alias. If you don’t remember the alias, list the keystore’s contents:

keytool -list -v -keystore mykeystore.jks

Look for the entry whose type is PrivateKeyEntry; that alias is the one your signed certificate must be imported into.

⚠️ Critical pitfall: do not import the signed certificate under a brand-new alias. If the alias has no existing private key, keytool stores the certificate as a standalone trusted entry with no key attached, and TLS will fail. Always import the reply into the alias that already holds the key (default GlassFish alias: s1as).

Step 3: Import into the default GlassFish keystore

With your certificate in place, import your keystore into the default GlassFish keystore. On a default install it lives in the domain’s config directory, for example glassfish/domains/domain1/config/keystore.jks (older GlassFish 4 builds nest this under a glassfish4/ top folder). The matching truststore is cacerts.jks in the same directory.

Note: GlassFish creates domain1 by default. If you added your own domain, use its directory instead.

Import your keystore into the GlassFish keystore with:

keytool -importkeystore -srckeystore mykeystore.jks -destkeystore keystore.jks

Step 4: Match the keystore passwords

The password for the GlassFish keystore must match the GlassFish master password for the domain. If the master password, the keystore password, and the private-key password don’t all match, GlassFish cannot unlock the key and your SSL certificate won’t work. (On a fresh domain, the default keystore password is changeit.)

Step 5: Update your GlassFish configuration

After a successful import, point GlassFish’s HTTPS listener at your certificate so it serves the new certificate instead of the default self-signed one. You can do this from the browser via the GlassFish Administration Console, or manually by editing domain.xml.

Option A: Administration Console. First, enable secure administration for the domain:

asadmin enable-secure-admin

Restart the GlassFish domain (the default is domain1) so the change takes effect:

asadmin restart-domain domain1

Now open the console at https://yoursite.com:4848. Dismiss the self-signed certificate warning and continue. Navigate to Configurations > server-config > HTTP Service > HTTP Listeners > http-listener-2.

Open the SSL tab and, in the Certificate Nickname field, enter your certificate alias (the same as your keystore alias). Then switch to the General tab and change the listener port to 443. GlassFish uses 8181 for HTTPS by default. Save your changes.

Occasionally not every configuration reference updates to the new alias in the console. If that happens, finish the change manually in domain.xml (Option B).

Option B: Edit domain.xml. The domain.xml file resides in the same config directory, for example glassfish/domains/domain1/config/domain.xml. For a safe edit, stop the domain first:

asadmin stop-domain domain1

Open domain.xml in a text editor and use Find (Ctrl+F) to locate s1as, the default GlassFish certificate alias. Replace every occurrence of s1as with your certificate alias (in this guide, myalias). Updating all of them also secures the Administration Console with your certificate.

Save domain.xml and start the domain again:

asadmin start-domain domain1

Congratulations, your SSL certificate is now installed on your GlassFish server.

Test your SSL installation

After installing the certificate, run our SSL checker to test the status of your installation. The instant scan reveals any errors or vulnerabilities (such as a missing intermediate certificate or an untrusted chain) that could affect how browsers treat your certificate.

Where to buy an SSL certificate for GlassFish?

The best place to shop for an SSL certificate for GlassFish is SSL Dragon. We offer some of the lowest prices on the market and regular discounts across our full range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong encryption and dedicated support. All our SSL certificates are compatible with GlassFish.

To help you choose, we built two free tools. Our SSL Wizard needs just a few seconds to find the best SSL deal for your project and budget.

Frequently Asked Questions

What is the default keystore and alias on GlassFish?

A GlassFish domain ships with two JKS files in its config directory: keystore.jks, which holds private keys, and cacerts.jks, the truststore of trusted CA certificates. Both sit in domains/domain1/config/ by default. The default certificate alias used by the secure HTTP listener is s1as, and the default keystore password is changeit.

Why does my GlassFish SSL certificate not work after importing it?

The usual cause is importing the signed certificate under a new alias instead of the alias that already holds your private key. keytool then stores it as a trusted certificate entry with no key, so GlassFish cannot complete a TLS handshake. Re-import the signed reply into the existing private-key alias (default s1as). The second most common cause is a password mismatch; the keystore, key, and domain master password must all be identical.

Do I import the CA bundle or the certificate first?

Import the CA bundle (root and intermediate certificates) first, as a trusted entry. This lets keytool build a complete chain when you then import your signed server certificate into the private-key alias. With a PKCS#7 (.p7b) file the chain is already bundled, so a single import handles everything.

How do I restart GlassFish after changing the SSL configuration?

Run asadmin restart-domain domain1 to apply changes in one step, or stop and start the domain separately with asadmin stop-domain domain1 followed by asadmin start-domain domain1. A restart is required after enabling secure admin and after editing domain.xml.

Which port does GlassFish use for HTTPS?

By default, the secure listener (http-listener-2) uses port 8181, and the Administration Console uses port 4848. To serve HTTPS on the standard port, change the listener port to 443 in the Admin Console or in domain.xml.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.