Multiple Private Keys in a GlassFish domain
By Shing Wai Chan on Apr 06, 2007
GlassFish uses Java JKS for storing keys and certificates.
Out of the box, the keyStore (
the trustStore (
cacerts.jks) reside in
Even though there are several CA root certificates in
cacerts.jks, there is only one private key in
GlassFish supports the use of multiple private keys in a given domains. For instance, you may have two https listeners having different server private keys. This is a very useful scenario especially when one have EC key. So, in a given domain, we can have one https listener using RSA key for normal browser and one https listener using EC key for PDA.
In this blog, we will discuss the configuration when there are multiple private keys in a given domain of GlassFish. In this case, one needs to specify the private key / certificate to be used for SSL communication. If the information is not specified, then the server will pick up one which may not be desirable. Since one wants to be more precise in security environment, one would like to specify the corresponding certificate nickname in order to pick up the correct key.
There are two kinds of certificate nicknames: inbound, https outbound.
Inbound Certificate Nickname
One needs to specify the inbound
for a given listener in
domain.xml. For instance,
in http listener, it is as follows:
<http-listener ... security-enabled="true" ... />
<ssl cert-nickname="s1as" ... />
Instead of hand-crafting the
domain.xml, it would
be a good idea to use Admin Console as follows:
Configuration > HTTP Services > Http listeners > http-listener-2,
SSL tab and enter the valid alias value you
want in "
Certificate Nickname" textbox.
Then one needs to restart the given domain (if there is a change
of certificate nickname) in order to activate the change.
Similarly for iiop listeners.
Https Outbound Certificate Nickname
GlassFish also supports the https outbound from server.
A private key / certificate is used for https outbound mutual
In this case, we can specify the https outbound certificate
One can achieve this through Admin Console as follows:
Application Server > JVM Settings > JVM Options >
Add JVM option, and enter the above jvm option in the
new textbox. Then one needs to restart the server in order to
activate this change.