All Products
Search
Document Center

Certificate Management Service:Install an SSL certificate on GlassFish (Linux)

Last Updated:May 14, 2026

This topic describes how to install and configure an SSL certificate on a GlassFish server. It covers downloading and uploading certificate files, configuring the certificate, certificate chain, and private key, and verifying the installation.

Important

This topic uses the default domain1 container in GlassFish 4.1.2-web on Linux as an example. The steps may differ depending on your operating system or GlassFish version.

Before you begin

  • You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.

  • The domain name is correctly resolved to the server.

  • You have administrative permissions for the server, such as a root account or an account with sudo privileges.

Procedure

Step 1: Download the SSL certificate

  1. Go to the SSL Certificate Management page, find the certificate that you want to deploy, and confirm the following information:

    1. Certificate Status: The status must be Issued. If the status is Pending Expiration or Expired, you must renew the SSL certificate.

    2. Bound Domains: This setting must match all the domain names that you want to protect. Otherwise, a security warning appears when an unmatched domain name is accessed over HTTPS. To add or modify domain names, see Append and replace domain names.

      Check whether the certificate matches the target domain name

      The Bound Domains of a certificate can include multiple exact-match and wildcard domain names. The matching rules for each type of domain name are as follows:

      • Exact-match domain name: Applies only to the specified domain name.

        • example.com applies only to example.com.

        • www.example.com applies only to www.example.com.

      • Wildcard domain name: Applies only to its first-level subdomains.

        • *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

        • *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.

      Note

      To match multi-level subdomains, the Bound Domains field must contain the exact domain name, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.

  2. In the Actions column of the target certificate, click More to go to the certificate details page. On the Download tab, download the certificate whose Server Type is Other.

  3. Unzip the downloaded certificate package:

    • If the package contains a certificate file (.pem) and a private key file (.key), save both files. You will need them for deployment.

    • If the package contains only a certificate file (.pem) and not a private key file (.key), you must deploy the certificate with the private key file that you saved locally.

      Note

      If you used a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for a certificate, the private key file was saved only on your local machine. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase a commercial certificate again and generate a new CSR and private key.

Step 2: Install the certificate on GlassFish

  1. Log on to your Linux server.

    Alibaba Cloud server

    The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, see the corresponding product documentation.

    1. Log on to the ECS console. In the upper-left corner, select the region where the target ECS instance is located.

    2. In the left navigation pane, select Instances & Images > Instances. On the Instances page, find the target ECS instance and click Connect in the Actions column.

    3. In the dialog box that appears, select Workbench and click Sign in now.

    4. Select Terminal as the connection method, enter the required authentication information, and follow the on-screen prompts to log on to the server terminal. For more information, see Log on to an ECS instance using Workbench.

      Note

      If a note to add security group rules appears, click Add Now.

    Servers from other cloud providers

    Use the remote connection feature provided by the cloud provider to log on to the server terminal.

    Non-cloud servers (such as physical servers or IDC-hosted servers)

    Use an SSH tool to log on to the server terminal from your local computer.

    • Windows: In Command Prompt (cmd) or PowerShell, run: ssh username@serverIP. If the ssh command is not supported, you can use third-party software such as PuTTY or WinSCP to connect.

    • macOS/Linux: In the built-in Terminal, run: ssh username@serverIP.

    Some of the following commands vary based on the operating system. Choose the commands that apply to your server's operating system.

    • RHEL/CentOS series: Includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.

    • Debian/Ubuntu series: Includes Debian, Ubuntu, and their derivatives.

    How to identify the operating system series

    Run cat /etc/os-release in the server terminal and check the values of ID_LIKE and ID in the output:

    • If ID_LIKE or ID contains rhel or centos, the operating system belongs to the RHEL/CentOS series.

    • If ID_LIKE or ID contains debian or ubuntu, the operating system belongs to the Debian/Ubuntu series.

  2. Open port 443 in the security group and firewall.

    1. Run the following command in the server terminal to check whether port 443 is open:

      RHEL/CentOS

      command -v nc > /dev/null 2>&1 || sudo yum install -y nc
      # Replace <your_server_public_ip> with the public IP address of your server.
      sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

      If the output is Ncat: Connected to <your_server_public_ip>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.

      Debian/Ubuntu

      command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
      # Replace <your_server_public_ip> with the public IP address of your server.
      sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

      If the output is Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.

    2. Open port 443 in your security group configuration.

      Important

      If your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, refer to their official documentation.

      Go to the Elastic Compute Service (ECS) instances page and click the target instance name to go to the instance details page. For more information, see Add a security group rule to add a rule in the Security Group Details section with Action set to Allow, Protocol to Custom TCP, Destination (Current Instance) to HTTPS (443), and Source to 0.0.0.0/0 (anywhere).

    3. Open port 443 in your firewall.

      Run the following command to identify the active firewall service on your system:

      if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
          echo "firewalld"
      elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
          echo "ufw"
      elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
          echo "nftables"
      elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
          echo "iptables"
      elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
          echo "iptables"
      else
          echo "none"
      fi

      If the output is none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld, ufw, nftables, or iptables) to open port 443:

      firewalld

      sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

      ufw

      sudo ufw allow 443/tcp

      nftables

      sudo nft add table inet filter 2>/dev/null
      sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
      sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

      iptables

      sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

      To make sure that the iptables rules persist after a system reboot, run the following commands:

      RHEL/CentOS
      sudo yum install -y iptables-services
      sudo service iptables save
      Debian/Ubuntu
      sudo apt-get install -y iptables-persistent
      sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null
  3. Create a directory to store the certificate.

    Go to the GlassFish installation directory (this example uses /home/glassfish4), create a directory named cert, and then navigate into it.

    cd /home/glassfish4
    mkdir cert
    cd cert
  4. Upload the certificate and private key files to the cert directory.

    Note

    You can use the local file upload feature of a remote logon tool to upload files. Examples of such tools include PuTTY, Xshell, or WinSCP. If you use an Alibaba Cloud Elastic Compute Service instance, see Upload or download files for more information.

  5. Convert the certificate from PEM to PKCS12 format.

    GlassFish uses the JKS keystore format, so you must first convert the PEM certificate to PKCS12 format. In the cert directory, run the following command to generate a file named mycert.p12 with the alias set to s1as.

    openssl pkcs12 -export -in domain_name.pem -inkey domain_name.key -out mycert.p12 -name s1as
    Note
    • Replace domain_name.pem and domain_name.key with the actual paths to your certificate and private key files.

    • When prompted, set the export password. We recommend using the default GlassFish keystore (keystore.jks) password, which is changeit, to avoid configuration issues later. If you use a different password, you must synchronize the key entry password in a later step.

  6. Stop the GlassFish service.

    Stop the service before you modify the keystore and configuration:

    /home/glassfish4/glassfish/bin/asadmin stop-domain domain1
  7. Back up the keystore and configuration files.

    To prevent startup failures caused by configuration errors, back up the default GlassFish keystore file keystore.jks and the domain configuration file.

    cp /home/glassfish4/glassfish/domains/domain1/config/keystore.jks /home/glassfish4/glassfish/domains/domain1/config/keystore.jks.bak
    cp /home/glassfish4/glassfish/domains/domain1/config/domain.xml /home/glassfish4/glassfish/domains/domain1/config/domain.xml.bak
  8. Remove the default certificate alias.

    By default, GlassFish uses the s1as alias for SSL communication. Delete this default entry from the keystore so you can replace it with your certificate.

    keytool -delete -alias s1as -keystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jks

    When prompted, enter the keystore.jks password. The default password is changeit.

  9. Import the new certificate into the keystore.

    Import mycert.p12 into the keystore.jks keystore with the alias set to s1as.

    keytool -importkeystore \
      -srckeystore mycert.p12 -srcstoretype PKCS12 \
      -destkeystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jks \
      -deststoretype JKS \
      -alias s1as

    When prompted, enter the following passwords:

    • Destination keystore password: Enter the keystore.jks password (default: changeit).

    • Source keystore password: Enter the export password you set for mycert.p12 in Step 5.

      If the export password for mycert.p12 differs from the keystore.jks password, run the following command to synchronize the key entry password:

      keytool -keypasswd -alias s1as \
        -keystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jks \
        -storepass <keystore.jks_password> \
        -keypass <mycert.p12_export_password> \
        -new <keystore.jks_password>
  10. Update the port configuration.

    Edit /home/glassfish4/glassfish/domains/domain1/config/domain.xml. Find the <network-listeners> section and change the HTTP and HTTPS ports to 80 and 443 as shown below:

    <network-listeners>
      <network-listener protocol="http-listener-1" port="80" name="http-listener-1" thread-pool="http-thread-pool" transport="tcp"></network-listener>
      <network-listener protocol="http-listener-2" port="443" name="http-listener-2" thread-pool="http-thread-pool" transport="tcp"></network-listener>
      <network-listener protocol="admin-listener" port="4848" name="admin-listener" thread-pool="admin-thread-pool" transport="tcp"></network-listener>
     </network-listeners>
  11. Start the GlassFish service.

    cd /home/glassfish4/glassfish/bin
    sudo ./asadmin start-domain domain1

Step 3: Verify the installation

  1. Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.

  2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.

    image

    Starting from version 117, the image icon in the Chrome address bar has been replaced with a new image icon. Click this icon to view the lock information.

Note

If the issue persists, see the FAQ section for troubleshooting.

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

Common causes include:

Update an installed SSL certificate

Back up the original certificate files (.pem and .key) on your server. Then, log on to the Certificate Management Service console, download the new certificate files, and upload them to the server to overwrite the originals. Make sure the file paths and names remain the same. Finally, restart the GlassFish service for the new certificate to take effect.