This topic describes how to install and configure an SSL certificate on a GlassFish server. It covers downloading and uploading certificate files, configuring the certificate, certificate chain, and private key, and verifying the installation.
This topic uses the default domain1 container in GlassFish 4.1.2-web on Linux as an example. The steps may differ depending on your operating system or GlassFish version.
Before you begin
You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.
The domain name is correctly resolved to the server.
You have administrative permissions for the server, such as a root account or an account with sudo privileges.
Procedure
Step 1: Download the SSL certificate
Go to the SSL Certificate Management page, find the certificate that you want to deploy, and confirm the following information:
Certificate Status: The status must be Issued. If the status is Pending Expiration or Expired, you must renew the SSL certificate.
Bound Domains: This setting must match all the domain names that you want to protect. Otherwise, a security warning appears when an unmatched domain name is accessed over HTTPS. To add or modify domain names, see Append and replace domain names.
In the Actions column of the target certificate, click More to go to the certificate details page. On the Download tab, download the certificate whose Server Type is Other.
Unzip the downloaded certificate package:
If the package contains a certificate file (.pem) and a private key file (.key), save both files. You will need them for deployment.
If the package contains only a certificate file (.pem) and not a private key file (.key), you must deploy the certificate with the private key file that you saved locally.
NoteIf you used a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for a certificate, the private key file was saved only on your local machine. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase a commercial certificate again and generate a new CSR and private key.
Step 2: Install the certificate on GlassFish
Log on to your Linux server.
Alibaba Cloud server
The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, see the corresponding product documentation.
Log on to the ECS console. In the upper-left corner, select the region where the target ECS instance is located.
In the left navigation pane, select . On the Instances page, find the target ECS instance and click Connect in the Actions column.
In the dialog box that appears, select Workbench and click Sign in now.
Select Terminal as the connection method, enter the required authentication information, and follow the on-screen prompts to log on to the server terminal. For more information, see Log on to an ECS instance using Workbench.
NoteIf a note to add security group rules appears, click Add Now.
Servers from other cloud providers
Use the remote connection feature provided by the cloud provider to log on to the server terminal.
Non-cloud servers (such as physical servers or IDC-hosted servers)
Use an SSH tool to log on to the server terminal from your local computer.
Some of the following commands vary based on the operating system. Choose the commands that apply to your server's operating system.
RHEL/CentOS series: Includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.
Debian/Ubuntu series: Includes Debian, Ubuntu, and their derivatives.
Open port 443 in the security group and firewall.
Run the following command in the server terminal to check whether port 443 is open:
RHEL/CentOS
command -v nc > /dev/null 2>&1 || sudo yum install -y nc # Replace <your_server_public_ip> with the public IP address of your server. sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443If the output is
Ncat: Connected to <your_server_public_ip>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.Debian/Ubuntu
command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat # Replace <your_server_public_ip> with the public IP address of your server. sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443If the output is
Connection to <your_server_public_ip> port [tcp/https] succeeded!or[<your_server_public_ip>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.Open port 443 in your security group configuration.
ImportantIf your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, refer to their official documentation.
Go to the Elastic Compute Service (ECS) instances page and click the target instance name to go to the instance details page. For more information, see Add a security group rule to add a rule in the Security Group Details section with Action set to Allow, Protocol to Custom TCP, Destination (Current Instance) to HTTPS (443), and Source to 0.0.0.0/0 (anywhere).
Open port 443 in your firewall.
Run the following command to identify the active firewall service on your system:
if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then echo "firewalld" elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then echo "ufw" elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then echo "nftables" elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then echo "iptables" elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then echo "iptables" else echo "none" fiIf the output is
none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld,ufw,nftables, oriptables) to open port 443:firewalld
sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reloadufw
sudo ufw allow 443/tcpnftables
sudo nft add table inet filter 2>/dev/null sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/nulliptables
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTTo make sure that the iptables rules persist after a system reboot, run the following commands:
RHEL/CentOS
sudo yum install -y iptables-services sudo service iptables saveDebian/Ubuntu
sudo apt-get install -y iptables-persistent sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null
Create a directory to store the certificate.
Go to the GlassFish installation directory (this example uses
/home/glassfish4), create a directory namedcert, and then navigate into it.cd /home/glassfish4 mkdir cert cd certUpload the certificate and private key files to the
certdirectory.NoteYou can use the local file upload feature of a remote logon tool to upload files. Examples of such tools include PuTTY, Xshell, or WinSCP. If you use an Alibaba Cloud Elastic Compute Service instance, see Upload or download files for more information.
Convert the certificate from PEM to PKCS12 format.
GlassFish uses the JKS keystore format, so you must first convert the PEM certificate to PKCS12 format. In the
certdirectory, run the following command to generate a file namedmycert.p12with the alias set tos1as.openssl pkcs12 -export -in domain_name.pem -inkey domain_name.key -out mycert.p12 -name s1asNoteReplace
domain_name.pemanddomain_name.keywith the actual paths to your certificate and private key files.When prompted, set the export password. We recommend using the default GlassFish keystore (keystore.jks) password, which is
changeit, to avoid configuration issues later. If you use a different password, you must synchronize the key entry password in a later step.
Stop the GlassFish service.
Stop the service before you modify the keystore and configuration:
/home/glassfish4/glassfish/bin/asadmin stop-domain domain1Back up the keystore and configuration files.
To prevent startup failures caused by configuration errors, back up the default GlassFish keystore file
keystore.jksand the domain configuration file.cp /home/glassfish4/glassfish/domains/domain1/config/keystore.jks /home/glassfish4/glassfish/domains/domain1/config/keystore.jks.bak cp /home/glassfish4/glassfish/domains/domain1/config/domain.xml /home/glassfish4/glassfish/domains/domain1/config/domain.xml.bakRemove the default certificate alias.
By default, GlassFish uses the
s1asalias for SSL communication. Delete this default entry from the keystore so you can replace it with your certificate.keytool -delete -alias s1as -keystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jksWhen prompted, enter the keystore.jks password. The default password is
changeit.Import the new certificate into the keystore.
Import
mycert.p12into thekeystore.jkskeystore with the alias set tos1as.keytool -importkeystore \ -srckeystore mycert.p12 -srcstoretype PKCS12 \ -destkeystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jks \ -deststoretype JKS \ -alias s1asWhen prompted, enter the following passwords:
Destination keystore password: Enter the
keystore.jkspassword (default:changeit).Source keystore password: Enter the export password you set for
mycert.p12in Step 5.If the export password for
mycert.p12differs from thekeystore.jkspassword, run the following command to synchronize the key entry password:keytool -keypasswd -alias s1as \ -keystore /home/glassfish4/glassfish/domains/domain1/config/keystore.jks \ -storepass <keystore.jks_password> \ -keypass <mycert.p12_export_password> \ -new <keystore.jks_password>
Update the port configuration.
Edit
/home/glassfish4/glassfish/domains/domain1/config/domain.xml. Find the<network-listeners>section and change the HTTP and HTTPS ports to 80 and 443 as shown below:<network-listeners> <network-listener protocol="http-listener-1" port="80" name="http-listener-1" thread-pool="http-thread-pool" transport="tcp"></network-listener> <network-listener protocol="http-listener-2" port="443" name="http-listener-2" thread-pool="http-thread-pool" transport="tcp"></network-listener> <network-listener protocol="admin-listener" port="4848" name="admin-listener" thread-pool="admin-thread-pool" transport="tcp"></network-listener> </network-listeners>Start the GlassFish service.
cd /home/glassfish4/glassfish/bin sudo ./asadmin start-domain domain1
Step 3: Verify the installation
Access your domain over HTTPS in a web browser. For example,
https://yourdomain. Replaceyourdomainwith your actual domain.If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.

Starting from version 117, the
icon in the Chrome address bar has been replaced with a new
icon. Click this icon to view the lock information.
If the issue persists, see the FAQ section for troubleshooting.
FAQ
Why is my certificate not working or HTTPS inaccessible after installation or update?
Common causes include:
Port 443 is not open in the security group or firewall. See Open port 443 in the security group and firewall.
The certificate's Bound Domains does not include the domain you are accessing. See Verify that the certificate matches the target domains.
The GlassFish service was not restarted after you modified the configuration. To restart the service, see Start the GlassFish service.
The certificate files were not replaced correctly, or the certificate path in the GlassFish configuration is incorrect. Verify that your certificate configuration and files are current and valid.
Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.
Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.
For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.
Update an installed SSL certificate
Back up the original certificate files (.pem and .key) on your server. Then, log on to the Certificate Management Service console, download the new certificate files, and upload them to the server to overwrite the originals. Make sure the file paths and names remain the same. Finally, restart the GlassFish service for the new certificate to take effect.