Skip to main content

Gluu Server CE Cert import

🎯 Purpose

This guide explains how to securely fetch a self-signed or internal TLS certificate from your Gluu server (gluu.mslspartners.com), import it into the Java truststore, and restart Gluu services to establish trusted HTTPS communication internally.

🧰 Prerequisites

  • πŸ§‘β€πŸ’» Root or sudo access to the Gluu server
  • 🌐 Domain name of your Gluu server: gluu.mslspartners.com
  • πŸ”‘ Java truststore password (default: changeit or custom)
  • πŸ“¦ Installed tools: openssl, keytool, awk

πŸš€ Step-by-Step Instructions

1️⃣ Create a Script File

nano /root/import-gluu-cert.sh

2️⃣ Paste the Script Below

#!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "πŸ” Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "❌ Failed to retrieve certificate."
  exit 1
fi

echo "πŸ—‘οΈ Removing old certificate (if it exists)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "βž• Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "πŸ” Restarting Gluu services..."
/root/restart-gluu.sh

echo "βœ… Import complete!"

3️⃣ Make the Script Executable

chmod +x /root/import-gluu-cert.sh

4️⃣ Run the Script

/root/import-gluu-cert.sh

πŸ” Verifying Certificate Import

πŸ“„ Check Certificate in Truststore:

keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

πŸ” Confirm Active Truststore:

/opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

πŸ“† Check Issuer and Subject:

openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

πŸ›  Troubleshooting

  • ❗ Trust path errors: Ensure the full certificate chain is present in gluu-full-chain.crt.
  • πŸ“ Missing file? Double-check /etc/certs/ exists and is writable.
  • πŸ”’ Permission denied? Make sure you’re running commands as root.
  • πŸ“œ Service won't restart? Check logs under /opt/gluu/jetty/<component>/logs/.

πŸ“ Notes

  • This method is tailored for internal/self-signed Gluu certificates.
  • For public CA certificates, ensure the full chain is valid and trusted by your system.
  • The script assumes a restart script exists at /root/restart-gluu.sh.
Back to top