Knowledge Base

Knowledge BaseCertificate Signing Request (CSR)

How to generate a CSR in GlassFish

Updated on June 13, 2026

Overview

By the end of this guide, you will have set the GlassFish keystore password, generated a key pair, and created a Certificate Signing Request (CSR) with keytool that you can submit to a Certificate Authority (CA). It explains the default Java KeyStore (JKS) files GlassFish uses, how to set a keystore password, how to verify your domain's WHOIS details before Domain Control Validation (DCV), and how to generate a 2048-bit RSA (Rivest-Shamir-Adleman) key and CSR.

About the GlassFish keystores

A new GlassFish domain includes a self-signed certificate (alias s1as) in DOMAIN_DIR/config/keystore.jks. This Java KeyStore (JKS) uses the default password "changeit". A second file, cacerts.jks, holds the root certificates from trusted authorities that GlassFish uses to verify certificates you purchase.

Step 1: Change the keystore password

Change the default keystore password and keep the new password safe — you will need it for every keystore operation and each time the domain starts:

keytool -storepasswd -keystore keystore.jks

When prompted, enter the current password ("changeit") and then your new password.

Step 2: Prepare for validation

Before requesting a certificate, check your domain's WHOIS record and correct any errors, especially the company name and email address. The Certificate Authority sends the Domain Control Validation (DCV) approval email to that address.

Step 3: Generate a key pair

Create a key pair in the keystore. The Certificate Authority requires a key size of at least 2048 bits. CN is your domain name, O is your company, L is the city, S is the state, and C is the two-letter country code:

keytool -keysize 2048 -genkey -alias mydomain.com -keyalg RSA \
-dname 'CN=mydomain.com, O=company, L=city, S=state, C=country' \
-keystore keystore.jks