Integrated SSL/TLS Certificate Management
Since Payara Server 5.20.0
A set of commands to provide integrated management of SSL & TLS certificates in Payara Server.
generate-self-signed-certificate
- Usage
-
asadmin> generate-self-signed-certificate --target=instancename --listener=listenername --dn="DN1" --alternativenames="ALT1;ALT2;ALT3" alias
- Aim
-
This command can generate a self-signed certificate for an instance, placing the resultant key pair in the target instance or listener’s key and trust stores.
If the instance or listener is configured to use the default key and trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default key and trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
This command will not overwrite an entry already present in the key store with the same alias. In this scenario no certificate is generated and the command exits. In the case however where there is not an entry with the same alias in the key store but there is in the trust store, a certificate will be generated and the entry in the trust store will be overwritten. |
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
String |
The distinguished name to use when generating the certificate. |
N/A |
yes |
|
String[] |
The semi-colon (;) separated list of additional Subject Alternative Names to add to the generated certificate. |
N/A |
no |
|
String |
The alias name to use when generating the certificate and storing it in the key and trust stores. |
N/A |
yes |
generate-csr
- Usage
-
asadmin> generate-csr --target=instancename --listener=listenername alias
- Aim
-
This command can generate a certificate signing request (CSR) for an instance or listener’s self-signed certificate, placing the resultant CSR file in ${installDir}/glassfish/tls, using the alias name as the file name.
- Note
-
This will overwrite a CSR with the same name already present in the ${installDir}/glassfish/tls directory.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to get the certificate from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to get the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
String |
The alias name of the certificate to generate a CSR for. |
N/A |
yes |
add-to-keystore
- Usage
-
asadmin> add-to-keystore --target=instancename --listener=listenername --file /path/to/file alias
- Aim
-
This command adds a certificate bundle (e.g. .p12 or .jks file) to the target instance or listener’s key store using the provided alias.
If the instance or listener is configured to use the default key store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default key store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
- Note
-
This will overwrite an entry already present with the same alias.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
File |
The bundle file to add to the target key store |
N/A |
yes |
|
String |
The alias name to store the certificate bundle in the key store under. |
N/A |
yes |
add-to-truststore
- Usage
-
asadmin> add-to-truststore --target=instancename --listener=listenername --file /path/to/file alias
- Aim
-
This command adds a certificate (e.g.
.cert
file) to the target instance or listener’s trust store. or listener’s trust store using the provided alias.
If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been added to the default trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
- Note
-
This will overwrite an entry already present with the same alias.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
File |
The certificate file to add to the target trust store |
N/A |
yes |
|
String |
The alias name to store the certificate in the trust store under. |
N/A |
yes |
remove-from-keystore
- Usage
-
asadmin> remove-from-keystore --target=instancename --listener=listenername alias
- Aim
-
This command removes a certificate from the target instance or listener’s key store matching the provided alias.
If the instance or listener is configured to use the default key store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default key store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove the certificate from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to remove the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
String |
The alias name of the certificate to remove. |
N/A |
yes |
remove-from-truststore
- Usage
-
asadmin> remove-from-truststore --target=instancename --listener=listenername alias
- Aim
-
This command removes a certificate from the target instance or listener’s trust store matching the provided alias.
If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove the certificate from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to remove the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
String |
The alias name of the certificate to remove. |
N/A |
yes |
remove-expired-certificates
- Usage
-
asadmin> remove-expired-certificates --target=instancename --listener=listenername
- Aim
-
This command removes all expired certificates from the target instance or listener’s key and trust stores.
If the instance or listener is configured to use the default trust store, the command will instead synchronise the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove expired certificates from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to remove expired certificates from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |