Showing posts with label ca. Show all posts

Thursday, 24 January 2019

Enabling SSL in Payara with certificate from Let's Encrypt.

In most cases the steps here are exactly the same as for the Glassfish application server¹.

So, it might be a bit superfluous, but in the interest of being complete.

Bear in mind that when you change the master password, this password is also used to re-encrypt all your keystores!

Letsencrypt in cacerts.jks

I'm still using the Keystore Explorer for this. When you open up the cacerts.jks file, you'll see Let's Encrypt is already in there.

It's called 'letsencryptisrgx1 [jdk]'.

Add private key to keystore.jks

"Open an existing keystore" in Keystore Explorer.
Choose keystore.jks. Put in your master password to access the keystore.
Deleted the old "s1as" Key Pair.
Import Key Pair
Select format PKCS#8
Encrypted private key checkbox should be unchecked
PKCS#8 Private key file should be privkey.pem
certificates file could be fullchain.pem
enter the alias "s1as".
enter a password to seal the deal.
close and save
restart Payara domain
done.

Interesting.

When attempting to restart the Payara domain, I used asadmin, and it immediately noticed that my keystore.jks file was changed. It showed me the certificate and asked:

Do you trust the above certificate [y|N]-->
Enter admin user name>
Enter admin password>

Restart your listener

Instead of having to restart your entire Payara Domain, apparently it is also possible to just turn your http-listeners on and off.

That's what this little bit here is all about.

The command "asadmin list-http-listeners", shows you the listeners.

$ ./asadmin list-http-listeners
Enter admin user name> admin
Enter admin password for user "admin">
http-listener-1
http-listener-2
admin-listener
Command list-http-listeners executed successfully.

In order to examine the http listeners fully, it is best to list the different properties, like so:

$ ./asadmin list server.network-config.protocols.protocol.*
Enter admin user name> admin
Enter admin password for user "admin">
server.network-config.protocols.protocol.admin-http-redirect
server.network-config.protocols.protocol.admin-http-redirect.http-redirect
server.network-config.protocols.protocol.admin-listener
server.network-config.protocols.protocol.admin-listener.http
server.network-config.protocols.protocol.admin-listener.http.file-cache
server.network-config.protocols.protocol.http-listener-1
server.network-config.protocols.protocol.http-listener-1.http
server.network-config.protocols.protocol.http-listener-1.http.file-cache
server.network-config.protocols.protocol.http-listener-1.ssl
server.network-config.protocols.protocol.http-listener-2
server.network-config.protocols.protocol.http-listener-2.http
server.network-config.protocols.protocol.http-listener-2.http.file-cache
server.network-config.protocols.protocol.http-listener-2.ssl
server.network-config.protocols.protocol.pu-protocol
server.network-config.protocols.protocol.pu-protocol.port-unification
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.admin-http-redirect
server.network-config.protocols.protocol.pu-protocol.port-unification.protocol-finder.http-finder
server.network-config.protocols.protocol.sec-admin-listener
server.network-config.protocols.protocol.sec-admin-listener.http
server.network-config.protocols.protocol.sec-admin-listener.http.file-cache
server.network-config.protocols.protocol.sec-admin-listener.ssl
Command list executed successfully.

We can see which ones have ssl enabled, by using get:

$ ./asadmin get server.network-config.protocols.protocol.http-listener-2.security-enabled
server.network-config.protocols.protocol.http-listener-2.security-enabled=true
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.http-listener-1.security-enabled
server.network-config.protocols.protocol.http-listener-1.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.admin-listener.security-enabled
server.network-config.protocols.protocol.admin-listener.security-enabled=false
Command get executed successfully.
$ ./asadmin get server.network-config.protocols.protocol.sec-admin-listener.security-enabled
server.network-config.protocols.protocol.sec-admin-listener.security-enabled=true
Command get executed successfully.

As you've noticed above, the admin-listener has defined a redirect to sec-admin-listener.

Let's turn http-listener-2 off and on again. See if he picks up the new certificate.

./asadmin set server.network-config.network-listeners.network-listener.http-listener-2.enabled=false
Command get executed successfully.
./asadmin set server.network-config.network-listeners.network-listener.http-listener-2.enabled=true
Command get executed successfully.

Yes! We have a green lockicon in my Firefox bar! Success!

For some reason this little thing, also caused the new certificate to be picked up by the admin listener of the administration console.

Automation

Apparently it's possible to automate the whole thing, and there's a Python script in the Payara application server called payara5/bin/letsencrypt.py that let's you do that.

There's more information available on the website of Certbot on how to automate it, see in the references below.

References

[1] Enabling SSL in Glassfish with certificate from Let's Encrypt.: https://randomthoughtsonjavaprogramming.blogspot.com/2019/01/enabling-ssl-in-glassfish-with.html
Payara Blog - Securing Payara Server with Custom SSL Certificate: https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate
Payara Blog - Configuring SSL/TLS Certificates with Payara Server and Let's Encrypt: https://blog.payara.fish/configuring-ssl/tls-certificates-with-payara-server-and-lets-encrypt
Github.com - PAYARA-1061 LetsEncrypt integration script: https://github.com/payara/Payara/pull/2727
Certbot - User Guide: https://certbot.eff.org/docs/using.html
Keystore Explorer: https://keystore-explorer.org/

Thursday, 10 January 2019

Enabling SSL in Glassfish with certificate from Let's Encrypt.

I wished to use the certificates of Let's Encrypt¹ for my website/glassfish.

I installed certbot using the manual found on the certbot website².

Make sure you are not running a website at the time, because the challenge of Let's Encrypt to verify you own the domain, is done by running a small webserver.

Getting certificates

[root@localhost certificates]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.mrbear.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.mrbear.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.mrbear.org/privkey.pem
   Your cert will expire on 2019-01-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Converting PEM

So now I have the necessary PEM files. Now to add them to my keystore and cacerts.

[root@mrbear config]# keytool -import -v -trustcacerts -alias letsencrypt -file /etc/letsencrypt/live/www.mrbear.org/fullchain.pem -keystore cacerts.jks -storepass itsasecret
... lots of text...
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 90 77 77 F6 3B DF 0C   C3 29 25 B5 56 29 EB CF  ..ww.;...)%.V)..
0010: 5D FD 3B 07                                        ].;.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing cacerts.jks]

I received a warning.

Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

I did just that.

[root@mrbear config]# keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12
Enter source keystore password:
Entry for alias godaddy successfully imported.
Entry for alias godaddy2 successfully imported.
Entry for alias glassfish-instance successfully imported.
Entry for alias s1as successfully imported.
Import command completed:  4 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".
[root@mrbear config]#

I got a java.security.cert.CertificateParsingException: signed fields invalid when trying to import the Let's Encrypt keys.

I didn't know how to resolve it, so I decided to go with KSE - KeyStore Explorer³.

Verify key

openssl rsa -in /etc/letsencrypt/live/www.mrbear.org/privkey.pem -check

Glassfish Admin console and HTTPS

I had some issues with the admin console which is also behind https.

There's a stackoverflow⁴ that helped me.

Running renew

In order to renew my keys with Let's Encrypt, all I need to do is run "cert renew" apparently.

I get the message that he cannot validate my domain. Apparently he needs to spin up a webserver again.

[root@mrbear ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.mrbear.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.mrbear.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.mrbear.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Still using KSE, which is awesome, to change keystore.jks.

Steps taken:

Deleted the old "s1as" Key Pair
Import Key Pair
Select format PKCS#8
Encrypted private key checkbox should be unchecked
PKCS#8 Private key file should be privkey.pem
certificates file could be chain.pem
enter the alias "s1as".
enter a password to seal the deal.
close and save
restart Glassfish
done.

References

[1] Let's Encrypt: https://letsencrypt.org/
[2] Certbot: https://certbot.eff.org/
[3] SourceForge - Keystore-Explorer: http://keystore-explorer.sourceforge.net/
[4] StackOverflow - Glassfish V4 ssl admin no longer works: https://stackoverflow.com/questions/34935725/glassfish-v4-ssl-admin-no-longer-works/34952975

Wednesday, 1 February 2017

Extending SSL Certificate in Glassfish

This is a followup of the blog post SSL Certificates in Glassfish.

The reason for this followup, is that signing of websites and code seems to be a very error prone and manual process, that is done infrequently enough for all of us to forget afterwards.

It basically follows the same path as the previous blog post, but I find it convenient to write stuff down, in case I forget.

Now my certificate on my website had expired, and it took me a while, before I found the time and the motivation to extend the certificate.

I'm still with GoDaddy.com⁴. Thankfully, the CSR was already transmitted last year, and I can just reuse that one.

Once I submit the CSR, I am required to verify that I am the owner of the Domain. This time, thank goodness, it requires nothing more than the clicking of a link sent to the email address that is stored in the WHOIS information.

Nothing like putting a file in the rootmap of the webserver or some such, like the first time.

Once that is done, I need to download the new certificates from godaddy.com. They ask for the type of web server that they need to generate the certificates for. Glassfish is not mentioned anywhere, so I select "Other".

The zip file I then receive, contains the same files as mentioned in my previous blogpost¹.

As I already installed all the root certificates, I choose to ignore the gd_bundle-g2-g1.crt file.

The more interesting file is the 2375839yrghfs5e7f.crt file.

Replace the original self-signed certificate with the certificate you obtained from the CA

[glassfish@server config]$ keytool -import -v -trustcacerts -alias s1as -file /home/glassfish/junk/2375839yrghfs5e7f.crt -keystore keystore.jks -storepass changeit
Certificate reply was installed in keystore
[Storing keystore.jks]

Verifying the keystore.jks

You can verify that all is well, by using the above command to check the keystore. You will see something like the following:

Alias name: s1as
Creation date: Feb 1, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=www.server.org, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 8446c5db57d376ed
Valid from: Wed Feb 01 14:27:00 CET 2017 until: Thu Feb 01 14:27:00 CET 2018
Certificate fingerprints:
         MD5:  75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77
         SHA1: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67
         SHA256: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67:68:20:61:77:65:72:3c:6f:3b:20:59:38
         Signature algorithm name: SHA256withRSA
         Version: 3

Which shows that as of today, the keystore has a valid certificate that is exactly valid for one year.

To apply your changes, restart GlassFish Server, according to chapter "To Sign a Certificate by Using
keytool²".

Verifying after reboot

Earlier, when issuing the openssl command:

openssl s_client -connect www.server.org:4848

The result was:

SSL handshake has read 15360 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5891E20F7C4FA7CBFA6ABF7E0EC6EC2D40C2CB4A148EFCEAE7F3179F5F80763F
    Session-ID-ctx:
    Master-Key: B8C7BA7AC15244DC581749AC9702609F8EB1BCE03F5B0CD53ECEE382D93877EBF6D5E3FE9F603D6D8253521A29EEB494
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1485956532
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---

Notice especially that last bit.

Once the glassfish was rebooted, the same command yields:

SSL handshake has read 15370 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5891E99B097CCC082475F5949A55ABD71C7AED902725AA6E98E77EAA3FC7BF01
    Session-ID-ctx:
    Master-Key: 9465D76CDC8D4CA19E46B2367ECD35382BA8049707BBF1D4D06E0389E85F724BA646F3C2C9FD45CF256C12ED9A0714F0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1485958464
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Again, I would like to draw your attention to the last line.

And that's it for now!

References

[1] SSL Certificates in Glassfish: http://randomthoughtsonjavaprogramming.blogspot.nl/2015/10/ssl-certificates-in-glassfish.html
[2] GlassFish Server Open Source Edition Security Guide Release 4.0: https://glassfish.java.net/docs/4.0/security-guide.pdf
[3] GlassFish Server Open Source Edition Administration Guide Release 4.0: https://glassfish.java.net/docs/4.0/administration-guide.pdf
[4] GoDaddy: Hosting, domainregistration, websites and more...: http://www.godaddy.com
SSLShopper - most common java keytool keystore commands: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
SSLShopper - SSL Certificate Verification

Thursday, 15 October 2015

SSL Certificates in Glassfish

There are two files in glassfish¹, to wit:

./glassfish/domains/domain1/config/keystore.jks
./glassfish/domains/domain1/config/cacerts.jks

The way I read it, it means your private keys are stored in the keystore.jks, and the root certificates and intermediate certificates of Certificate Authorities (CA) are stored in cacerts.jks. When configured correctly, these two files should contain all the certificates needed to create a necessary chain of trust.

Checking out the keystore, can be done using the following commandline:

keytool -list -v -keystore keystore.jks

The default keystore password is "changeit".
You get the following:

Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: glassfish-instance
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 43ce5f77
Valid from: Wed May 15 07:33:41 CEST 2013 until: Sat May 13 07:33:41 CEST 2023
Certificate fingerprints:
MD5: C0:FA:88:64:36:7A:1B:62:1B:F1:BD:8F:5A:7A:9A:E7
SHA1: B1:FA:A8:2B:7C:83:18:A8:9B:C6:46:50:41:EC:FC:7C:DF:69:B3:33
SHA256: 52:AB:1F:37:75:68:92:8F:3D:02:49:D7:3C:8E:BC:53:76:9B:68:E2:B8:83:AF:ED:4C:39:99:FE:45:F1:F1:67
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 50 2C 8F D9 A2 55 80 18 8F 3D 90 AC 77 28 C3 VP,...U...=..w(.
0010: FE A0 55 F6 ..U.
]
]
*******************************************
*******************************************
Alias name: s1as
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 4a9972f
Valid from: Wed May 15 07:33:38 CEST 2013 until: Sat May 13 07:33:38 CEST 2023
Certificate fingerprints:
MD5: 79:0D:FC:CF:99:32:2B:BE:77:36:40:4A:14:E1:2D:91
SHA1: 4A:57:58:F5:92:79:E8:2F:2A:91:3C:83:CA:65:8D:69:64:57:5A:72
SHA256: AB:48:B2:E6:C4:4C:50:86:7F:B3:70:30:83:F1:CE:E8:06:F4:B5:75:F0:E3:AD:5B:23:38:10:02:A8:85:F5:56
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 05 82 BD 8C 02 B8 05 00 04 14 0A FB 29 AA F7 L............)..
0010: 48 6C CB 86 Hl..
]
]

*******************************************
*******************************************

There's also a keystore that comes bundled with your java installation, usually it can be found somewhere in the security directory.
You can view all the certificates in there using:

keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.60-2.b27.el7_1.x86_64/jre/lib/security/cacerts

Backup your keystore.jks

Just a simple copy will do.

cp keystore.jks keystore.jks.backup

Delete the default self-signed certificate

keytool -delete -alias s1as -keystore keystore.jks -storepass

Generating a certificate request

This request we are about to generate, is submitted to the Certificate Signing Authority. See for more information chapter "To Sign a Certificate by Using keytool" in [1]. Using RSA, gives a default keysize of 2048.

[glassfish@vps386 config]$ keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity 365 -alias s1as
Enter keystore password:
What is your first and last name?
[Unknown]: www.hostname.org
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=www.hostname.org, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):
[glassfish@vps386 config]$

The CSR (Certificate Signing Request) can then be generated into the file s1as.csr:

keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass changeit

Viewing the generated file should look something like the following:

-----BEGIN NEW CERTIFICATE REQUEST-----
XMEgkqefRUGOwopicufCMEREvY4LF23dRN6d9LaqkmWnKWUiPFqaPDQYv2qPsbXdk2GKxni2nJne
SprQ1APylEUHpS9UXH61Y2Kr28tNHB9PS9ZcRhmIQHKAoNq4MCvHiu1JtuLBrYHOlWjJqIBR7Ngk
laiGkCRoDyTbjRsdeDRdL7MFZ3Gr7Nc2g6CNKCN6z83jbMp4pKnJ05Cx5motTuStsLhSxmAKf6us
1ADDirZFHCkIMFcAoEde5qHh0bFirHY6crlehSNfUSrvw5PY9f9uPmLplbFSY5KZOXO6bOAstxhh
SSGbTrTHiY7ojnobY38Vzcu0DAMF9UrY7akrXwGE4KqExA0hJtwKPy7CJuyumXntpNnmz7pc9U4K
iVBc4PNYB4srm6lCUuDwJAeoK7m38vHu1hkhP2m9XnG3Ii4UguW7Jc8sZiCAylR7xYWEXU8gEi8r
glpdQUIRFcOezICZOFzhriZUmRAtDcyAyOS0B14hCQWMa4pR5mCfAHUPtPTpWspd8P6kf0RjNfRJ
tPXJ5xpT9rZz55atyO1bO8i3lhOouwczVF17Kf2BrmZ5fnqk0sAZJuOE49q1dlVg0k7Yh7v1pwPC
n0n3h0gzEesCA0KcJ1jTkEbz6IULJUDBtmlYbdGVZegbO9TRts75OnYVWjbl1IxYM4wGnwA6UL46
0jEATrURG7cX3xRaUYfK3uyzBHpdpCzOlhppfVGfr56owkkxQqrS0qgr8tLn6eWKl51QZcdL7Db1
XpiLMzuFGVQa4oDaZIGbeAw87XmqvAN872DZiTtWy49Bm1MDZTsoIl42lN9CTu4FhttXDyADbXUy
0BvZJOaTEwALYpGMvYSbVseqqjuhcbae02t7vrzqjyYJMC4BNGO3pg0FZnBV5r3oyGiBH0utET7c
vDMqmyOEJ5DHs8ltQrhGmtyXcfseKXSILQXxAx5CJOX0nljXO7kZdtZTkcOwOMM=
-----END NEW CERTIFICATE REQUEST-----

Submit the CSR to a Certificate Authority

I did this using GoDaddy.Com. Most CAs have a web interface that provides this functionality.

Download the CA certificates and any intermediate CA certificates

This is where it gets a little problematic. I keep hearing that a lot of CAs do not provide all or the proper certificates in the download, and you are forced to check out their public repository for the right files.

Then there are all the possible formats in which the certificates can be stored.

Downloading the zip file from GoDaddy.com, gave me the following files:

gd_bundle-g2-g1.crt: the root and intermediate certificates of your CA
b9683876305fc322.crt: your private certificate that should be kept private

Check out the CA certificates

keytool -printcert -v -file gd_bundle-g2-g1.crt

Import the CA certificate and any intermediate CA certificates

keytool -import -v -trustcacerts -alias godaddy -file /home/glassfish/junk/gd_bundle-g2-g1.crt -keystore cacerts.jks -storepass changeit
Certificate was added to keystore
[Storing cacerts.jks]

Replace the original self-signed certificate with the certificate you obtained from the CA

keytool -import -v -trustcacerts -alias s1as -file /home/glassfish/junk/b9683876305fc322.crt -keystore keystore.jks -storepass changeit

Verify the certificate chain

Unfortunately, not providing all the required certificates, to build up the chain will cause an exception when adding your private key⁴.

openssl s_client -connect www.karchan.org:4848

Shows the following Certificate chain:

---
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.karchan.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---

Another way to verify the chain, is by using Microsoft Windows:

In Linux, I find the Keystore-Explorer⁵ to fulfill my needs:

References

[1] GlassFish Server Open Source Edition Security Guide Release 4.0: https://glassfish.java.net/docs/4.0/security-guide.pdf
[2] GlassFish Server Open Source Edition Administration Guide Release 4.0: https://glassfish.java.net/docs/4.0/administration-guide.pdf
[3] Java Dude Blog - Glassfish V3.1.2 and SSL: https://javadude.wordpress.com/2013/03/22/glassfish-v3-1-2-and-ssl//
[4] StackOverflow - Keytool error java lang exception failed to establish chain from reply: http://stackoverflow.com/questions/23611688/keytool-error-java-lang-exception-failed-to-establish-chain-from-reply
[5] SourceForge - Keystore-Explorer: http://keystore-explorer.sourceforge.net/