All Products
Search

This Product

    Certificate Management Service:Install an SSL certificate on a GlassFish server (Linux)

    Document Center

    Certificate Management Service:Install an SSL certificate on a GlassFish server (Linux)

    Last Updated:Dec 03, 2025

    This topic describes how to install an SSL certificate on a GlassFish server. The process includes downloading and uploading certificate files, configuring the certificate, certificate chain, and private key on the GlassFish server, and verifying the installation.

    Important

    This topic uses the default domain1 container in glassfish-4.1.2-web on a Linux operating system as an example. The deployment steps may vary depending on your operating system or GlassFish server version. If you have questions, contact your business manager.

    Prerequisites

    • You have purchased and requested a certificate from Certificate Management Service, and its Status is Issued. For more information, see Purchase a commercial certificate and Request a certificate.

    • The domain name is correctly resolved to the server.

    • You have administrative permissions for the server, such as a root account or an account with sudo privileges.

    Procedure

    Step 1: Download the SSL certificate

    1. Go to the SSL Certificate Management page, find the certificate that you want to deploy, and confirm the following information:

      1. Certificate Status: The status must be Issued. If the status is Pending Expiration or Expired, you must renew the SSL certificate.

      2. Bound Domains: This setting must match all the domain names that you want to protect. Otherwise, a security warning appears when an unmatched domain name is accessed over HTTPS. To add or modify domain names, see Append and replace domain names.

        Check whether the certificate matches the target domain name

        The Bound Domains of a certificate can include multiple exact-match and wildcard domain names. The matching rules for each type of domain name are as follows:

        • Exact-match domain name: Applies only to the specified domain name.

          • example.com applies only to example.com.

          • www.example.com applies only to www.example.com.

        • Wildcard domain name: Applies only to its first-level subdomains.

          • *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

          • *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.

        Note

        To match multi-level subdomains, the Bound Domains field must contain the exact domain name, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.

    2. In the Actions column for the target certificate, click More, and then on the Download tab, download the certificate whose Server Type is Other.

    3. Unzip the downloaded certificate package:

      • If the package contains a certificate file (.pem) and a private key file (.key), save both files. You will need them for deployment.

      • If the package contains only a certificate file (.pem) and not a private key file (.key), you must deploy the certificate with the private key file that you saved locally.

        Note

        If you used a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for a certificate, the private key file was saved only on your local machine. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase a commercial certificate again and generate a new CSR and private key.

    Step 2: Install the certificate on the GlassFish server

    1. Log on to your Linux server.

      Alibaba Cloud server

      The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, see the corresponding product documentation.

      1. Log on to the ECS console. In the upper-left corner, select the region where the target ECS instance is located.

      2. In the left navigation pane, select Instances & Images > Instances. On the Instances page, find the target ECS instance and click Connect in the Actions column.

      3. In the dialog box that appears, select Workbench and click Sign in now.

      4. Select Terminal as the connection method, enter the required authentication information, and follow the on-screen prompts to log on to the server terminal. For more information, see Log on to an ECS instance using Workbench.

        Note

        If a note to add security group rules appears, click Add Now.

      Servers from other cloud providers

      Use the remote connection feature provided by the cloud provider to log on to the server terminal.

      Non-cloud servers (such as physical servers or IDC-hosted servers)

      Use an SSH tool to log on to the server terminal from your local computer.

      • Windows: In Command Prompt (cmd) or PowerShell, run: ssh username@serverIP. If the ssh command is not supported, you can use third-party software such as PuTTY or WinSCP to connect.

      • macOS/Linux: In the built-in Terminal, run: ssh username@serverIP.

      Some of the following commands vary based on the operating system. Choose the commands that apply to your server's operating system.

      • RHEL/CentOS series: Includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.

      • Debian/Ubuntu series: Includes Debian, Ubuntu, and their derivatives.

      How to identify the operating system series

      Run cat /etc/os-release in the server terminal and check the values of ID_LIKE and ID in the output:

      • If ID_LIKE or ID contains rhel or centos, the operating system belongs to the RHEL/CentOS series.

      • If ID_LIKE or ID contains debian or ubuntu, the operating system belongs to the Debian/Ubuntu series.

    2. Open port 443 in the security group and firewall.

      1. Run the following command in the server terminal to check whether port 443 is open:

        RHEL/CentOS

        command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

        If the output is Ncat: Connected to <your_server_public_ip>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.

        Debian/Ubuntu

        command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

        If the output is Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.

      2. Open port 443 in your security group configuration.

        Important

        If your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, refer to their official documentation.

        Go to the Elastic Compute Service (ECS) instances page and click the target instance name to go to the instance details page. For more information, see Add a security group rule to add a rule in the Security Group Details section with Action set to Allow, Protocol to Custom TCP, Destination (Current Instance) to HTTPS (443), and Source to 0.0.0.0/0 (anywhere).

      3. Open port 443 in your firewall.

        Run the following command to identify the active firewall service on your system:

        if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

        If the output is none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld, ufw, nftables, or iptables) to open port 443:

        firewalld

        sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

        ufw

        sudo ufw allow 443/tcp

        nftables

        sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

        iptables

        sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

        To make sure that the iptables rules persist after a system reboot, run the following commands:

        RHEL/CentOS
        sudo yum install -y iptables-services
sudo service iptables save
        Debian/Ubuntu
        sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

    3. Create a directory in the GlassFish installation directory to store certificates.

      1. Go to the GlassFish installation directory.

        In this example, glassfish4 is installed in the /home directory. Adjust the path as needed.

        cd /home/glassfish4

      2. Create a certificate directory named cert.

        mkdir cert

    4. Upload the certificate file and the private key file to the cert folder.

      Note

      You can use the local file upload feature of a remote logon tool, such as PuTTY, XShell, or WinSCP, to upload files. If you are using an Alibaba Cloud Elastic Compute Service (ECS) instance, for more information about how to upload files, see Upload or download files.

    5. In the cert directory, run the openssl command to convert the downloaded PEM certificate to PKCS12 format. Set the password to changeit, name the file mycert.p12, and set the alias to s1as.

      Note

      Replace domain_name.pem and domain_name.key with your actual certificate file and private key file.

      changeit is the default password for the built-in certificate in the GlassFish server. If you have changed it, use your actual certificate password.

      openssl pkcs12 -export -in domain_name.pem -inkey domain_name.key -out mycert.p12 -passout pass:changeit -name s1as

    6. In the cert directory, run the keytool command to convert mycert.p12 to JKS format. Name the file keystore.jks and set the alias to s1as.

      keytool -importkeystore -destkeystore keystore.jks -srckeystore mycert.p12 -srcstoretype PKCS12 -alias s1as

      After you run the keytool command, you are prompted to set a password for keystore.jks and enter the original password for mycert.p12. Enter changeit for both.

    7. In the cert directory, run the keytool command to convert the downloaded PEM certificate to JKS format. Name the file cacerts.jks and set the alias to s1as.

      Replace domain_name.pem with your actual certificate file.

      keytool -importcert -trustcacerts -destkeystore cacerts.jks -file domain_name.pem -alias s1as

      After you run the keytool command, you are prompted to set a password for cacerts.jks. Set the password to changeit.

    8. In the cert directory, run the following commands to replace the cacerts.jks and keystore.jks files in the /home/glassfish4/glassfish/domains/domain1/config directory.

      • Replace cacerts.jks

        cp ./cacerts.jks /home/glassfish4/glassfish/domains/domain1/config

      • Replace keystore.jks

        cp ./keystore.jks /home/glassfish4/glassfish/domains/domain1/config

    9. Edit the /home/glassfish4/glassfish/domains/domain1/config/domain.xml configuration file to change the port numbers.

      Locate the network-listeners section as shown in the following figure. Modify the port numbers as shown in the example. Before you modify the ports, make sure that ports 80 and 443 are not in use.

      image.png

      <network-listeners>
          <network-listener protocol="http-listener-1" port="80" name="http-listener-1" thread-pool="http-thread-pool" transport="tcp"></network-listener>
          <network-listener protocol="http-listener-2" port="443" name="http-listener-2" thread-pool="http-thread-pool" transport="tcp"></network-listener>
          <network-listener protocol="admin-listener" port="4848" name="admin-listener" thread-pool="admin-thread-pool" transport="tcp"></network-listener>
 </network-listeners>

    10. Go to the /home/glassfish4/glassfish/bin directory and run the following command to restart the server../asadmin restart-domain domain1

      ./asadmin restart-domain domain1

    Step 3: Verify the installation

    1. Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.

    2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.

      image

      Starting from version 117, the image icon in the Chrome address bar has been replaced with a new image icon. Click this icon to view the lock information.

    Note

    If the issue persists, see the FAQ section for troubleshooting.

    FAQ

    Why is my certificate not working or HTTPS inaccessible after installation or update?

    Common causes include the following:

    • Port 443 is not open in the server's security group or firewall. For more information, see Open port 443 in the security group and firewall.

    • The certificate's Bound Domains does not include the domain name being accessed. For more information, see Check if the certificate matches the target domain names.

    • You modified the GlassFish application configuration file but did not restart the GlassFish service. For more information, see Restart the GlassFish service.

    • The certificate file was not replaced correctly, or the certificate path was specified incorrectly in the Flask configuration. Ensure that the certificate configuration in the Flask application and the certificate file are both up-to-date and valid.

    • Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.

    • Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.

    How do I update (replace) an installed SSL certificate in GlassFish?

    Back up the original certificate files (.pem and .key) on your server. Log on to the Certificate Management Service console, download the new certificate files, and upload them to your server to overwrite the old files. Ensure that the path and filenames remain the same. Finally, restart the GlassFish service for the new certificate to take effect.