Self signed certificate not working on GlassFish server 4.0

Question

I've created a self signed certificate and added it to keystore.jks, but once configured in the http-listener-2 via admin console it does not work. Default "s1as" certificate works properly btw.

Server information:

Install directory: C:\Program Files\glassfish-4.0\glassfish
Installed version: GlassFish Server Open Source Edition 4.0 (build 89)

What I have done:

Open a cmd as administrator

Add keytool to PATH

set PATH=%PATH%;c:\Program Files\Java\jdk1.8.0_20\bin"

Generate key

C:\Program Files\glassfish-4.0\glassfish\domains\domain1\config>keytool -keysize
 2048 -genkey -alias autofirmado -keyalg RSA -keystore keystore.jks -validity 360
Introduzca la contraseña del almacén de claves:
¿Cuáles son su nombre y su apellido?
  [Unknown]:  Myname
¿Cuál es el nombre de su unidad de organización?
  [Unknown]:  test
¿Cuál es el nombre de su organización?
  [Unknown]:  test2
¿Cuál es el nombre de su ciudad o localidad?
  [Unknown]:  locality
¿Cuál es el nombre de su estado o provincia?
  [Unknown]:  province
¿Cuál es el código de país de dos letras de la unidad?
  [Unknown]:  es
¿Es correcto CN=Myname, OU=test, O=test2, L=locality, ST=province, C=es?
  [no]:  si

Introduzca la contraseña de clave para <autofirmado>
        (INTRO si es la misma contraseña que la del almacén de claves): <ENTER>

Verify new generated key is inside keystore.jks

C:\Program Files\glassfish-4.0\glassfish\domains\domain1\config>keytool -list -k
eystore keystore.jks -alias autofirmado -v
Introduzca la contraseña del almacén de claves:
Nombre de Alias: autofirmado
Fecha de Creación: 21-dic-2014
Tipo de Entrada: PrivateKeyEntry
...

Then configured http-listener-2:

alias: autofirmado
keystore: keystore.jks
truststore: cacerts.jks   

Then restarted the server and tried to access through https localhost 8181 but I get the firefox message:

"The connection was interrupted"

If I configure the GlassFish server with the default "s1as" key it works properly.

Answer 1

Since I have found this question due to another mistake I write here some possible causes of problems in similar situations.

Wrong certificate name

This is the case of this question. I Chrome I had the following message:

NET::ERR_CERT_AUTHORITY_INVALID

You have to set CN=localhost to get it working.

What is your first and last name?
  [Unknown]:  localhost

This is specified also in GlassFish Security Guide:

For HTTPS hostname verification, it is important to ensure that the name of the certificate (CN) matches the fully-qualified hostname of your site (fully-qualified domain name). If the names do not match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site.

Wrong key algorithm

I used the keytool -genkey command without specifying the -keyalg option and this created a certificate with SHA1withDSA.

Chrome said ERR_CONNECTION_CLOSED and in my server log I found

javax.net.ssl.SSLHandshakeException: no cipher suites in common

I solved this specifying keytool -genkey -keyalg RSA

Change also glassfish-instance certificate

From GlassFish Security Guide:

DAS uses the s1as alias for SSL/TLS authentication and the instances use the glassfish-instance alias

According to a comment on another answer "If you change the s1as certificate, you will also need to change the glassfish-instance certificate".

Wrong keystore file

Remember that:

• The keystore.jks file contains GlassFish Server certificate, including its private key.
• The cacerts.jks file contains the GlassFish Server trusted certificates, including public keys for other entities.

Sometimes the distraction can made you put the public key in the wrong file. This should be the correct sequence:

# Generate a key pair in keystore.jks
keytool -genkeypair -alias s1as -keystore keystore.jks -keypass changeit -storepass changeit -keyalg RSA
# Export the certificate
keytool -export -keystore keystore.jks -alias s1as -file s1as.cer -storepass changeit
# Import it into the truststore.jks
keytool -import -noprompt -trustcacerts -file s1as.cer -alias s1as -keystore cacerts.jks -storepass changeit

How to check

This command shows information about certificates:

keytool -v -list -alias <the_alias> -keystore <filename>.jks

If you take a look to the original self-signed certificates provided by GlassFish you have:

• CN:
  • Owner: CN=localhost for s1as
  • Owner: CN=localhost-instance for glassfish-instance
• RSA: Signature algorithm name: SHA256withRSA
• Entry type:
  • Entry type: PrivateKeyEntry for keystore.jks
  • Entry type: trustedCertEntry for cacerts.jks