How to generate a CSR code on GlassFish

GlassFish uses keystores (.jks files) to store certificates and private keys. For Glassfish, it is recommended to generate a CSR using the keytool command line utility.

First, a new keystore needs to be created. The following command can be used to generate a new keystore with a private key:

keytool -genkey -alias myalias -keyalg RSA -keysize 2048 -keystore mykeystore.jks

It is recommended to replace myalias and mykeystore with the alias and filename of your choice.

You will be prompted to set a password for this keystore (at least 6 characters are required). The keystore password and private key password must be the same as the Glassfish master password for the domain. The default master password is “changeit” and can be changed by running the change-master-password subcommand of the asadmin utility.

After that keytool will ask you to fill out some contact details. Here are the fields that will need to be filled out:

  • What is your first and last name? (Common Name) this is where the domain needs to be specified. For single-domain or multi-domain certificates, you can enter (or for a subdomain). For wildcard certificates, it should be specified in the following format: * (or *
  • What is the name of your organizational unit? (Organization Unit) - the company department requesting the certificate; this field can be skipped.
  • What is the name of your organization? (Organization) the company name goes here; if there is no company, you can enter “NA”.
  • What is the name of your City or Locality? (Locality)
  • What is the name of your State or Province? (State)
  • What is the two-letter country code for this unit? (Country) the country needs to be entered as a 2-letter ISO-compliant country code; you can always check the correct country code here:


All entered details will be displayed for a review; if everything is correct enter “yes” or just “y”.

You will also be asked to set a key password which will be used to secure the private key. You can press Enter to make this password the same as the keystore password.

Below is an example of filling out these fields:

Now there is a keystore file containing the private key in the directory where the command was run, and a CSR can be generated with the next keytool command:

keytool -certreq -alias myalias -file domain.csr -keystore mykeystore.jks

In this command, myalias and mykeystore.jks are the same as in the first command, and domain.csr should be replaced with a custom filename. After running the command, you will have a domain.csr file in the same directory with the keystore.

You can open the CSR file with any text editor (e.g., nano), or output it to the console using the cat command:

Before submitting the CSR, we recommend checking it for possible issues by decoding it on

Now that you have a CSR, you can proceed with certificate activation in your account.

Additionally, you can visit the official Oracle documentation for more detailed instructions on keytool usage.


Powered by Zendesk