GlassFish uses Java JKS for storing keys and certificates.
Out of the box, the keyStore (
the trustStore (
cacerts.jks) reside in
Even though there are several CA root certificates in
cacerts.jks, there is only one private key in
GlassFish supports the use of multiple private keys in a given
domains. For instance, you may have two https listeners having
different server private keys. This is a very useful scenario
especially when one have
So, in a given domain, we can have one https listener using
RSA key for normal browser and one https listener using EC
key for PDA.
In this blog, we will discuss the configuration when
there are multiple private keys in a given domain of GlassFish.
In this case, one needs to specify the private key / certificate
to be used for SSL communication. If the information is
not specified, then the server will pick up one which may
not be desirable.
Since one wants to be more precise in security environment,
one would like to specify the corresponding certificate
nickname in order to pick up the correct key.
There are two kinds of certificate nicknames: inbound,
Inbound Certificate Nickname
One needs to specify the inbound
for a given listener in
domain.xml. For instance,
in http listener, it is as follows:
<http-listener ... security-enabled="true" ... />
<ssl cert-nickname="s1as" ... />
Instead of hand-crafting the
domain.xml, it would
be a good idea to use Admin Console as follows:
Configuration > HTTP Services > Http listeners > http-listener-2,
SSL tab and enter the valid alias value you
want in "
Certificate Nickname" textbox.
Then one needs to restart the given domain (if there is a change
of certificate nickname) in order to activate the change.
Similarly for iiop listeners.
Https Outbound Certificate Nickname
GlassFish also supports the https outbound from server.
A private key / certificate is used for https outbound mutual
In this case, we can specify the https outbound certificate
One can achieve this through Admin Console as follows:
Application Server > JVM Settings > JVM Options >, and enter the above jvm option in the
Add JVM option
new textbox. Then one needs to restart the server in order to
activate this change.