Importing OpenSSL certificate/key pairs into Java keystores

My day job ran into a situation where we were acquiring an SSL certificate (using the openssl(1) tools), which would be used by a third party in a Glassfish installation. Until recently, that required various hacks to convert the PKCS#10 key/cert files into something keytool(1) could manage, but no more: as of Java 6, keytool(1) can handle PKCS#12 files, which makes it much easier to deal with this.

I’ve left a few variables in the commands below, which you’ll need to replace with the actual paths and values:

  • GLASSFISH_HOME should be replaced with the root directory of your Glassfish installation. In my case, that’s /opt/glassfish3, but your environment is probably different.
  • GLASSFISH_DOMAIN should be replaced with the name of the Glassfish domain you’re configuring. That might be domain1, or if you’ve created your own domain with asadmin create-domain, use the name you used then.
  • KEY_ALIAS should be replaced with some meaningful name for the SSL certificate pair. I used https-www.example.com, but you can use anything you like other than the two aliases used by Glassfish internally.

You will need the Java 6 tools installed, including keytool, as well as the asadmin command set up to manage your domain. You will also need write access to the keystore.jks file stored in the domain’s config directory.

The domain should be stopped while you modify its keystore. If the domain is running, restart the domain in step three rather than starting the domain.

Step one: convert the key/cert pair into a single PKCS#12 keystore

openssl pkcs12 -export \
	-in www.example.com.cert \
	-inkey www.example.com.key \
	-out https-certificates.pkcs12

The openssl command will prompt for a password to use when creating the new PKCS#12 keystore. This is not optional, but since we only need this keystore temporarily, setting it to an unsafe password like “password” is fine. Just be careful to delete the keystore away safely afterwards.

Step two: import the key/cert pair from the PKCS#12 keystore into Glassfish’s JKS keystore

keytool -importkeystore \
	-srckeystore https-certificates.pkcs12 \
	-srcstoretype PKCS12 \
	-srcstorepass password \
	-deststorepass changeit \
	-destkeypass changeit \
	-destkeystore $GLASSFISH_HOME/glassfish/domains/$GLASSFISH_DOMAIN/config/keystore.jks \
	-srcalias 1 \
	-destalias $KEY_ALIAS

(If you changed your Glassfish master password, you may need to change -deststorepass and -destkeypass to match. If you used a different password when creating the PKCS#12 keystore above, change -srcstorepass appropriately.)

Step 3: configure Glassfish

By default, Glassfish sets up a network listener called http-listener-2 to handle HTTPS connections on port 8181. We’ll need to tell it to use the new key/cert pair:

asadmin start-domain $GLASSFISH_DOMAIN
asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=$KEY_ALIAS

At this point, you should be able to point a browser at https://your-glassfish-server:8181/ and pick up the new key.

Tags:

categories Examples | | datetime January 17, 2012 9:28 pm

2 Comments

  • By David Dossot, January 18, 2012 @ 2:55 pm

    For good or bad, I’ve grown an allergy to configuring certificates in JKS. Nowadays I prefer to have Nginx do the SSL termination for me (I know it’s not the fastest for that job) because I prefer to deal with certificates at OS level, not app level.

  • By Owen, January 18, 2012 @ 3:28 pm

    You’re ahead of me, I still have Apache do the termination. This was for some contractors who wanted to let Glassfish serve directly; the alternative was teaching them to configure an httpd frontend of some sort and frankly, not my problem. :)

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

Image | WordPress Themes