>From: owner-openssl-us...@openssl.org On Behalf Of Gloria Binette
>Sent: Tuesday, 25 September, 2012 07:42
>I have been tasked with using OpenSSL to create certificates and
>then use them with Glassfish. I have created the CA, CSRs and CRTs,
>have tried various ways to import them into glassfish's keystore.jks,
>have tried creating a new javakeystore. Have read many tutorials and
>forum comments, but have yet to have success. Does anyone have a
>tutorial specific to doing this or could offer some advice?
I don't use Glassfish, but Java keystore used for "standard" Java
(JSSE) should all be the same. I've seen tools advertised for this,
but you (I) can do it with JRE-standard keytool.
1. with openssl create privatekey and corresponding cert
(via CSR and CA, or otherwise), in PEM format (which is the
default for most openssl commandline, otherwise convert).
2. with openssl put privatekey+cert and maybe chain into pkcs12 using
openssl pkcs12 -export ... -out $p12file
If you keep privatekey + cert in one file, which some people do,
use that as -in or stdin; or on Unixy cat them and pipe as stdin.
Otherwise use -in certfile -inkey keyfile . Either way if you created
a multi-level CA hierarchy, include all chain certs (above entity cert
and below root) using -certfile. You can include the root if you like,
such as for documentation, but it's not needed; the client(s) using
the server must have their own local copy of the root.
Caveat: don't use an empty passphrase for the pkcs12,
keytool doesn't handle that correctly.
3. with keytool convert pkcs12 into jks
keytool -importkeystore -srckeystore $p12file -srcstoretype pkcs12
-destkeystore $jksfile
I don't know if Glassfish cares about the alias(es) for its keystore
entries; the default keymanager for JSSE doesn't. If it does, you can
specify the desired alias in step 2 with -alias, or change the default
in step 3 with -srcalias 1 -destalias $whatever . Or you can change it
in the jks later/anytime with keytool.
4. optional: use keytool -list -v to check the result is correct
5. maybe: for many Java apps you must start or restart the app
(sometimes the whole JVM, sometimes not) after putting in new keystore.
I have no clue for Glassfish, although "enterprise" stuff often
tries to be clever about this and sometimes succeeds.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
