Technology insights, news and tips.

  • Sun
    April 6, 2007

Multiple Private Keys in a GlassFish domain

GlassFish uses Java JKS for storing keys and certificates.
Out of the box, the keyStore (keystore.jks) and
the trustStore (cacerts.jks) reside in
Even though there are several CA root certificates in
cacerts.jks, there is only one private key in

GlassFish supports the use of multiple private keys in a given
domains. For instance, you may have two https listeners having
different server private keys. This is a very useful scenario
especially when one have
EC key.
So, in a given domain, we can have one https listener using
RSA key for normal browser and one https listener using EC
key for PDA.

In this blog, we will discuss the configuration when
there are multiple private keys in a given domain of GlassFish.
In this case, one needs to specify the private key / certificate
to be used for SSL communication. If the information is
not specified, then the server will pick up one which may
not be desirable.
Since one wants to be more precise in security environment,
one would like to specify the corresponding certificate
nickname in order to pick up the correct key.

There are two kinds of certificate nicknames: inbound,
https outbound.

Inbound Certificate Nickname

One needs to specify the inbound cert-nickname
for a given listener in domain.xml. For instance,
in http listener, it is as follows:

    <http-listener ... security-enabled="true" ... />

      <ssl cert-nickname="s1as" ... />


Instead of hand-crafting the domain.xml, it would
be a good idea to use Admin Console as follows:
Configuration > HTTP Services > Http listeners > http-listener-2,
and choose SSL tab and enter the valid alias value you
want in "Certificate Nickname" textbox.
Then one needs to restart the given domain (if there is a change
of certificate nickname) in order to activate the change.

Similarly for iiop listeners.

Https Outbound Certificate Nickname

GlassFish also supports the https outbound from server.
A private key / certificate is used for https outbound mutual
SSL authentication.
In this case, we can specify the https outbound certificate
nickname as jvm-options in domain.xml:


One can achieve this through Admin Console as follows:
Application Server > JVM Settings > JVM Options >
Add JVM option
, and enter the above jvm option in the
new textbox. Then one needs to restart the server in order to
activate this change.

Join the discussion

Comments ( 4 )
  • Cedar Milazzo Thursday, April 26, 2007
    Hello, I'm trying to debug an SSL application running on Glassfish. To do this, I need to look at the actual HTTPS traffic using ssldump. ssldump has an option to decrypt the traffic if you give it the private key. Where would I find the private key for the glassfish server? (I'm using the default keystore and certificates right now)
  • Shing Wai Chan Thursday, April 26, 2007
    The default private key with alias s1as is in domains/domain1/config/keystore.jks
  • Jan Tuesday, September 16, 2008


    i tried your hint with the httpsOutboundKeyAlias. I'm actually trying to use it for mutual SSL auth at a ldap server. But it is not working. It just picks the "first" entry in the keystore (in order of -list), not the mentioned alias. Does that depend on the specific ldap connection? Do you know another way how to use another private key?


  • Darko Tuesday, November 17, 2009

    You save my day :). We were trying to solve a problem with multiple certificates in one keystore for 2 days, and finally we did it.Thanks a lot... You are my men :)

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.