sslglassfishkeystoreself-signed-certificateglassfish-5

Create a self signed certificate for localhost and import it in Glassfish


I am developing a REST server that runs with Jersey on Glassfish, and I want to make it run on HTTPS on localhost.

I have found many tutorials for generating a CA cert, others for generating .cer / .crt / .key / .csr / ... files, others for generating a jks keystore.

But they do not answer my (very basic) question: how to generate a self signed certificate and use it in my app that runs on Glassfish, on localhost? From scratch to the integration for a real usage, without any prerequiresite having a crt, a jks or any other file.

(For information I use Linux)

Thanks

EDIT: I have finally created a certificate with the following commands

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
openssl pkcs12 -export -name localhostServerCert -in localhost.crt -inkey localhost.key -out localhostP12Keystore.p12
keytool -importkeystore -destkeystore localhostKeystore.jks -srckeystore localhostP12Keystore.p12 -srcstoretype pkcs12 -alias localhostServerCert
copy localhostKeystore.jks into /glassfish/domains/domain1/config
keytool -importkeystore -srckeystore localhostKeystore.jks -destkeystore keystore.jks

And I have modified http-listener-2 in the admin console with certificate nickname localhostServerCert, but I got an error page on https://localhost:8181 (ERR_CONNECTION_REFUSED)

EDIT 2 : I think there should be a problem with the certificate, since openssl s_client -showcerts -connect localhost:8181 returns no peer certificate available, No client certificate CA names sent


Solution

  • COMMON GOALS

    It can be useful to run with SSL locally, and I like to start with real world URLs. This can also help you to think ahead to your production deployment design, which often involves a Private PKI these days, based on a self issued Root CA.

    Web and API domains can sometimes be related these days, eg if an API issues secure cookies for the web origin. So for localhost development I first define URLs such as these:

    DEVELOPER SETUP

    Then add entries such as this to my hosts file:

    127.0.0.1 localhost web.mycompany.com api.mycompany.com
    :1        localhost
    

    Then, in terms of certificates, I produce these deployable files:

    Certificate Filename Usage
    Root CA mycompany.ca.pem The root certificate authority that is trusted by the Java runtime
    Wildcard Certificate mycompany.ssl.p12 A password protected PKCS12 file deployed with the API

    My Development Certificates Repository has an example of how to issue the certs using openssl, including a bash script you can use for your own domains. Essentially this is a Private PKI for a development computer.

    CONFIGURING TRUST

    You then just need to trust the Root CA in the Java runtime used by Glassfish. Personally I tend to avoid JKS files where possible, since they are specific to Java, whereas PKCS12 files are a more portable concept:

    sudo "$JAVA_HOME/bin/keytool" -import -alias mycompanyroot -cacerts -file ~/Desktop/mycompany.ca.pem -storepass changeit -noprompt
    

    FURTHER DEVELOPER SETUP INFO

    These resources on a portable way to manage SSL development certs are provided below, which completes the architecture work:

    System.setProperty(
      "server.ssl.key-store", 
      configuration.getApi().getSslCertificateFileName());
    
    System.setProperty(
      "server.ssl.key-store-password",
      configuration.getApi().getSslCertificatePassword());
    

    GLASSFISH

    If Glassfish based setups mean the API itself does not load the PKCS12 file, then there may be a specific task to import the PKCS12 file. Many systems provide a GUI or API option for loading a PKCS12 file into a keystore. This may result in a command like this being run, which you can do manually if needed:

    keytool -importkeystore -srckeystore mycompany.ssl.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -v