Integrated SSL/TLS Certificate Management

Since Payara Server 5.20.0

A set of commands to provide integrated management of SSL & TLS certificates in Payara Server.

generate-self-signed-certificate

Usage

asadmin> generate-self-signed-certificate --target=instancename --listener=listenername --dn="DN1" --alternativenames="ALT1;ALT2;ALT3" alias

Aim

This command can generate a self-signed certificate for an instance, placing the resultant key pair in the target instance or listener’s key and trust stores.

If the instance or listener is configured to use the default key and trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default key and trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.

This command will not overwrite an entry already present in the key store with the same alias. In this scenario no certificate is generated and the command exits. In the case however where there is not an entry with the same alias in the key store but there is in the trust store, a certificate will be generated and the entry in the trust store will be overwritten.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to add the certificate to.

server

no

--listener

String

The name of the HTTP or IIOP listener to add the certificate to.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--distinguishedname, --dn

String

The distinguished name to use when generating the certificate.

N/A

yes

--alternativenames, --altnames

String[]

The semi-colon (;) separated list of additional Subject Alternative Names to add to the generated certificate.

N/A

no

--alias (primary)

String

The alias name to use when generating the certificate and storing it in the key and trust stores.

N/A

yes

Example

asadmin> generate-self-signed-certificate --dn "CN=test.payara.fish,IP=192.168.1.1"
--listener http-listener-2
--alternativenames "test2.payara.fish;DNS:test3.payara.fish,IP:127.0.0.1,EMAIL:anon@payara.fish"
--target Instance1
test_cert

generate-csr

Usage

asadmin> generate-csr --target=instancename --listener=listenername alias

Aim

This command can generate a certificate signing request (CSR) for an instance or listener’s self-signed certificate, placing the resultant CSR file in ${installDir}/glassfish/tls, using the alias name as the file name.

Note

This will overwrite a CSR with the same name already present in the ${installDir}/glassfish/tls directory.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to get the certificate from.

server

no

--listener

String

The name of the HTTP or IIOP listener to get the certificate from.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--alias (primary)

String

The alias name of the certificate to generate a CSR for.

N/A

yes

Example

asadmin> generate-csr --listener http-listener-2 --target Instance1 test_cert

add-to-keystore

Usage

asadmin> add-to-keystore --target=instancename --listener=listenername --file /path/to/file alias

Aim

This command adds a certificate bundle (e.g. .p12 or .jks file) to the target instance or listener’s key store using the provided alias.

If the instance or listener is configured to use the default key store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default key store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.

Note

This will overwrite an entry already present with the same alias.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to add the certificate to.

server

no

--listener

String

The name of the HTTP or IIOP listener to add the certificate to.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--file

File

The bundle file to add to the target key store

N/A

yes

--alias (primary)

String

The alias name to store the certificate bundle in the key store under.

N/A

yes

Example

asadmin> add-to-keystore --file /home/anon/Downloads/mycert.p12 mycert

add-to-truststore

Usage

asadmin> add-to-truststore --target=instancename --listener=listenername --file /path/to/file alias

Aim

This command adds a certificate (e.g. .cert file) to the target instance or listener’s trust store. or listener’s trust store using the provided alias.

If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.

Note

This will overwrite an entry already present with the same alias.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to add the certificate to.

server

no

--listener

String

The name of the HTTP or IIOP listener to add the certificate to.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--file

File

The certificate file to add to the target trust store

N/A

yes

--alias (primary)

String

The alias name to store the certificate in the trust store under.

N/A

yes

Example

asadmin> add-to-keystore --file /home/anon/Downloads/mycert.p12 mycert

remove-from-keystore

Usage

asadmin> remove-from-keystore --target=instancename --listener=listenername alias

Aim

This command removes a certificate from the target instance or listener’s key store matching the provided alias.

If the instance or listener is configured to use the default key store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default key store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to remove the certificate from.

server

no

--listener

String

The name of the HTTP or IIOP listener to remove the certificate from.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--alias (primary)

String

The alias name of the certificate to remove.

N/A

yes

Example

asadmin> remove-from-keystore --domain_name production --target Instance1 --listener http-listener-2 mycert

remove-from-truststore

Usage

asadmin> remove-from-truststore --target=instancename --listener=listenername alias

Aim

This command removes a certificate from the target instance or listener’s trust store matching the provided alias.

If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to remove the certificate from.

server

no

--listener

String

The name of the HTTP or IIOP listener to remove the certificate from.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

--alias (primary)

String

The alias name of the certificate to remove.

N/A

yes

Example

asadmin> remove-from-truststore --domain_name production --target Instance1 --listener http-listener-2 mycert

remove-expired-certificates

Usage

asadmin> remove-expired-certificates --target=instancename --listener=listenername

Aim

This command removes all expired certificates from the target instance or listener’s key and trust stores.

If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.

Command Options

Option Type Description Default Mandatory

--target

String

The name of the instance to remove expired certificates from.

server

no

--listener

String

The name of the HTTP or IIOP listener to remove expired certificates from.

N/A

no

--domain_name

String

The name of the domain where the target instance exists.

domain1

no

--domaindir

String

The path to the directory containing the target domain.

${installDir}/glassfish/domains

no

Example

asadmin> remove-expired-certificates --domain_name production --target Instance1 --listener http-listener-2