Thursday, February 14, 2013

Glassfish: default keystore and truststore

Q: Do you need to use keystores/truststores of the glassfish OSE?

There are 2 files you should be interested in (please note domain1 used by me):
  • $GLASSFISH_HOME/domains/domain1/config/cacerts.jks - truststore - holding all the public keys
  • $GLASSFISH_HOME/domains/domain1/config/keystore.jks - keystore - holding all the private keys

The default alias used for the secured http-listeners is called: s1as.

To examine the contents

To list truststore contents use:
keytool -list -v -storepass changeit -keystore $GLASSFISH_HOME/domains/domain1/config/keystore.jks
keytool -list -v -storepass changeit -keystore $GLASSFISH_HOME/domains/domain1/config/cacerts.jks
Please note that you need to adapt path to keystores, depending on domains used as well as password you have configured for glassfish to protect the keystore/truststore.

Digging deeper

Default keys are generated during domain creation via asadmin's create-domain command.

Implementation is present in (in my case I refer to version 3.1.1):
see methods:

No comments: