How to generate self signed SSL certificate for Glassfish v3 and import it into Java keyring

Java applications that use ssl to consume web services via jax-ws or use HTTP clients may check the SSL certificate of the server in runtime. In case if your certificate is self signed or Common Name of the certificate does not match the domain name you will get connection errors.

To be able to develop applications you may need to run them on dev/qa servers and then allow your Java application consume these services. To do it you will need to import their SSL certificates into your local Java keyring (the same way you add exception rules into your browser).

How to generate a self signed SSL certificate and put into glassfish keyring

To import certificates to Java keyring you use keytool. Glassfish v3 also uses same keyring file format to store its SSL certificates and private keys. The problem is that keytool does not allow adding existing private keys into a keystore. Well at least i could not find a way to do it. So if you have self signed SSL certificate (generated using openssl command) you can't use it as glassfish SSL server certificate. You need to use keytool to generate a new one and put into keyring with the private key.

You can run the following command. Please replace SOMEALIASNAME with any alias name you want and path to point to the keystore:

keytool -genkey -alias SOME_ALIAS_NAME -validity 1000 -keyalg RSA -keysize 1024 -keystore /opt/......./domain1/config/keystore.jks

You have to put your domain name in the common name field or it will cause validation errors. So when asked for your name put the domain name that you will be using to access the SSL service from Java.

Changing the SSL certificate in Glassfish v3

Then go to the Glassfish web administration console and go to: Configuration / Networking Config / Network Listeners / SSL tab

Then put SOME_ALIAS_NAME into the Certificate nickname field on the SSL tab on the network listener which is designated for your applications SSL traffic.

This should work, and your web app will start using the certificate.

Obtaining server's SSL certificate to add an exception rule

If you now go to your application's url you should get new SSL warning in your browser as the certificate has changed. Add exception rule to allow the traffic. You can also export the certificate in the browser (on the details view in firefox there is export button).

You can also run the following replacing host/port for your server's name and port:

openssl s_client -connect YOUR_HOSTNAME:PORTNUM 2>&1

Then grab the lines with cert like:


and put them into a file on local drive. If you exported it from the browser you dont have to do it from command line any more.

Adding self signed SSL certificate to local Java keystore

Finally you have to add this certificate to java keystore so that all Java programs on your machine would accept this self signed SSL certificate. On MacOSX it would like this:

sudo $JAVA_HOME/bin/keytool -trustcacerts -import -alias "any_alias_name" -file myserver.crt -keystore /Library/Java/Home/lib/security/cacerts

This should solve the problem and you should not get any SSL connection / handshake errors any more.

Hope it helps :)


Nice article. Thanks to You

Nice article. Thanks to You i've got rid out some browser warnings.
Thanks a lot Mate !
Pozdrowienia z Polski, o tej porze słonecznej !

2014-03-23 10:08

Thanks for this tutorial, it

Thanks for this tutorial, it helped a lot. But there is missing one tiny thing:
For the love of god, set password for your certificate to the same as the keystore.jks has - aka. "changeit" by default. Setting no password could also work.

It took me forever to resolve wtf is happening. When I chosed different password, my Glassfish admin console didn't want to start, no application want to load, then https listener didn't work and so on. When you look at the log there is message
SEVERE: Cannot recover key

I hope it helps someone.

2013-01-15 02:01

I came across this post seem

I came across this post seem to be helpful to my case. However,it didn't resolve my problem. I am getting Glassfish message: 'INFO: JACC Policy Provider:Failed Permission Check: context (" MyAppName/MyAppName ") , permission (" ( /URLpath GET) ")' when my application attempt to switch to SSL page. It result in a blank page with the a above message on my glassfish console.

I am a first time user of Netbeans7.01 and Glassfish3.01. on Fedora1. I configure my Secure page according to the instruction. Everything seem to be inplace except my application can not switch to secure page. I have a lot of questions that need more clear answers for. It will be appreciated if any one can help me get through this show stopper.

1.Do I need a self-signed certificate in my development environment?
2.Doesn't error message really cause by a impropper SSL configuration or some java version incompatibility.

2012-03-09 14:05

Post new comment


About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS