10-78 Oracle Fusion Middleware Security and Administrators Guide for Web Services b. Generate a Certificate Signing Request CSR by issuing the following command: keytool -certreq -alias owsm -file owsm.csr -keystore keystore.jks -storepass changeit The request that is generated and written to the owsm.csr file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team at https:mahogany.red.iplanet.com. c. Access the Certificate Management Server at https:mahogany.red.iplanet.com, click SSL Server in the left pane, and paste the contents of the .csr file, starting from BEGIN CERTIFICATE REQUEST and ending at END CERTIFICATE REQUEST, into the PKCS 10 Request field. Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page. d. Copy the certificate content PKCS 7 format starting from BEGIN CERTIFICATE to END CERTIFICATE into a file with .cert extension and import the server certificate into the glassfish_install_ dirdomainssts_deploy_domainconfigkeystore.jks file by using the following keytool command: keytool -import -v -alias owsm -file owsm.cert -key- store keystore.jks -storepass changeit Enter YES when prompted if you trust the certificate. e. Access the Certificate Authoritys SSL Certificate. Go to https:mahogany.red.iplanet.com and navigate to SSL Server - Retrieval tab - List Certificates - Find . Click on the first Details button on the page and copy the Base 64 encoded certificate into another .cert file. For example: mahogany.cert f. Import this certificate with alias as rootca into the glassfish_ install_dirdomainssts_deploy_ domainconfigcacerts.jks file, using the following command: keytool -import -v -alias rootca -file mahogany.cert -keystore cacerts.jks -storepass changeit g. The previous step may need to be repeated for client side truststore.jks file. Delete any existing rootca aliases from that file and import the new one as shown above changing the location of the keystore file. h. To configure GlassFish with the new certificate, access the Administration Console at http:hostname:admin-port. Navigate to Configuration - HTTP Service - http-listener2 default SSL enabled port - SSL , and change the certificate nickname from s1as self-signed cert to owsm. i. Restart Glassfish.