Integrated SSL/TLS Certificate Management
A set of commands to provide integrated management of SSL & TLS certificates in Payara Server.
generate-self-signed-certificate
- Usage
-
asadmin> generate-self-signed-certificate --target=instancename --listener=listenername --dn="DN1" --alternativenames="ALT1;ALT2;ALT3" alias
- Aim
-
This command can generate a self-signed certificate for an instance, placing the resultant key pair in the target instance or listener’s key and trust stores.
If the instance or listener is configured to use the default key and trust store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been added to the default key and trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
This command will not overwrite an entry already present in the key store with the same alias. In this scenario no certificate is generated and the command exits. In the case however where there is not an entry with the same alias in the key store but there is in the trust store, a certificate will be generated and the entry in the trust store will be overwritten. |
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 or the existing domain if only one exists |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
${installDir}/glassfish/nodes |
no |
|
String |
The distinguished name to use when generating the certificate. |
N/A |
yes |
|
String[] |
The semi-colon (;) separated list of additional Subject Alternative Names to add to the generated certificate. |
N/A |
no |
|
String |
The alias name to use when generating the certificate and storing it in the key and trust stores. |
N/A |
yes |
renew-self-signed-certificates
- Usage
-
asadmin> renew-self-signed-certificates
- Aim
-
The renew-self-signed-certificates subcommand renews all self-signed certificates in a keystore using the old distinguished name and alias. These certificates are then placed in the key and trust stores of the target instance or listener, replacing the old ones.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to renew the certificates of. |
server |
no |
|
Boolean |
If the http listeners should be reloaded. |
false |
no |
|
String |
The name of the HTTP or IIOP listener to renew the certificates of. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
${installDir}/glassfish/domains |
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
${installDir}/glassfish/nodes |
no |
generate-csr
- Usage
-
asadmin> generate-csr --target=instancename --listener=listenername alias
- Aim
-
This command can generate a certificate signing request (CSR) for an instance or listener’s self-signed certificate, placing the resultant CSR file in
${installDir}/glassfish/tls
, using the alias name as the file name. - Note
-
This will overwrite a CSR with the same name already present in the
${installDir}/glassfish/tls
directory.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to get the certificate from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to get the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
|
String |
The alias name of the certificate to generate a CSR for. |
N/A |
yes |
add-to-keystore
- Usage
-
asadmin> add-to-keystore --target=instancename --listener=listenername --file /path/to/file alias
- Aim
-
This command adds a certificate bundle (e.g.
.p12
or.jks
file) to the target instance or listener’s key store using the provided alias.
If the instance or listener is configured to use the default key store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been added to the default key store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
This will overwrite an entry already present with the same alias. A certificate without a private key cannot be used by a HTTP listener and will return a warning. |
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
|
File |
The bundle file to add to the target key store |
N/A |
yes |
|
String |
The alias name to store the certificate bundle in the key store under. |
N/A |
yes |
add-to-truststore
- Usage
-
asadmin> add-to-truststore --target=instancename --listener=listenername --file /path/to/file alias
- Aim
-
This command adds a certificate (e.g.
.cert
file) to the target instance or listener’s trust store or listener’s trust store using the provided alias.
If the instance or listener is configured to use the default trust store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been added to the default trust store of the DAS), since any certificates added to the instance stores would be lost upon next synchronisation.
- Note
-
This will overwrite an entry already present with the same alias.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to add the certificate to. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to add the certificate to. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
|
File |
The certificate file to add to the target trust store |
N/A |
yes |
|
String |
The alias name to store the certificate in the trust store under. |
N/A |
yes |
remove-from-keystore
- Usage
-
asadmin> remove-from-keystore --target=instancename --listener=listenername alias
- Aim
-
This command removes a certificate from the target instance or listener’s key store matching the provided alias.
If the instance or listener is configured to use the default key store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been removed from the default key store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove the certificate from. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to remove the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
|
String |
The alias name of the certificate to remove. |
N/A |
yes |
remove-from-truststore
- Usage
-
asadmin> remove-from-truststore --target=instancename --listener=listenername alias
- Aim
-
This command removes a certificate from the target instance or listener’s trust store matching the provided alias.
If the instance or listener is configured to use the default trust store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove the certificate from. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to remove the certificate from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
${installDir}/glassfish/nodes |
no |
|
String |
The alias name of the certificate to remove. |
N/A |
yes |
remove-expired-certificates
- Usage
-
asadmin> remove-expired-certificates --target=instancename --listener=listenername
- Aim
-
This command removes all expired certificates from the target instance or listener’s key and trust stores.
If the instance or listener is configured to use the default trust store, the command will instead synchronize the instance with the DAS (under the assumption the certificate has been removed from the default trust store of the DAS), since any certificates removed from the instance stores would be lost upon next synchronisation.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to remove expired certificates from. |
server |
no |
|
Boolean |
If the http listeners should be reloaded |
false |
no |
|
String |
The name of the HTTP or IIOP listener to remove expired certificates from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
list-keystore-entries
- Usage
-
asadmin> list-keystore-entries --target=instancename --listener=listenername
- Aim
-
This command displays either all or a specific store entry from the target instance or listener’s key store.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to list certificates from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to list certificates from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
|
no |
|
Boolean |
Whether or not to print the full entry details. |
false |
no |
|
String |
The alias name of the entry to list. If not provided then all entries are listed. |
N/A |
false |
list-truststore-entries
- Usage
-
asadmin> list-truststore-entries --target=instancename --listener=listenername
- Aim
-
This command displays either all or a specific store entry from the target instance or listener’s trust store.
Command Options
Option | Type | Description | Default | Mandatory |
---|---|---|---|---|
|
String |
The name of the instance to list certificates from. |
server |
no |
|
String |
The name of the HTTP or IIOP listener to list certificates from. |
N/A |
no |
|
String |
The name of the domain where the target instance exists. |
domain1 |
no |
|
String |
The path to the directory containing the target domain. |
|
no |
|
String |
The name of the node where the target instance exists. |
|
no |
|
String |
The path to the directory containing the target node. |
${installDir}/glassfish/nodes |
no |
|
Boolean |
Whether or not to print the full entry details. |
false |
no |
|
String |
The alias name of the entry to list. If not provided then all entries are listed. |
N/A |
false |