This page describes the steps for setting up SSL on a GlassFish server. The SSL Certificate used is a GoDaddy certificate. If you are using a different CA then the steps should be similar.

These steps apply to GlassFish 2 and GlassFish 3.

Preliminary Steps:

  • Backup your directory: <glassfish_install>\domains\domain1\config
  • Stop the GlassFish server

The following fields will change based on your installation. For this example, we are using:

  • CSR file name: mywebsite.csr
  • dname: information on about your server install, where cn=<fully qualified domain name>
  • certificate file:
  • keystore file: mycompanystore.jks

Note: These variables will be displayed in red bold in the following steps. Be sure to change the values based on your server environment.


Open MS-DOS window (Run As Administrator)

cd <glassfish_install>\domains\domain1\config

Step 1:  Generate key

keytool -genkey -dname ", ou=My Company Name, o=My Company Name, L=Philadelphia, ST=PA, C=US" -keyalg RSA -keysize 2048 -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -validity 365

Step 2:  Generate CSR file

keytool -certreq -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -file mywebsite.csr

Email the file “mywebsite.csr” to the Certificate Authority (CA). The CA will eventually send you an email to download the certificates. You’ll use those in step 3.

Step 3:  Download the GoDaddy certificate zip file

The zip file includes:

  • gd_bundle.crt

Unzip the zip file. Copy these files to <glassfish_install>\domains\domain1\config

Import Go Daddy root certificate

keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore mycompanystore.jks -keypass changeit -storepass changeit

Step 4: Import your domain certificate

keytool -import -trustcacerts -alias mykey -file -keystore mycompanystore.jks -keypass changeit -storepass changeit

Step 5:  Change the server config to point to the new mycompanystore.jks file.

Edit the file cd <glassfish_install>\domains\domain1\config\domain.xml


Step 6:  Change the server config to use new SSL nickname.

Perform a global replace of “s1as” with “mykey”. “mykey” is the alias you used in the previous steps.
<ssl cert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

Step 7: Restart the GlassFish server

Step 8: Visit the SSL URL in your browser


By default, GlassFish SSL port is on 8181. If you’d like, you can change it to port 443 which is the browser default for the secure https:// protocol.