Skip to main content

Gluu Server CE Cert import

๐ŸŽฏ Purpose

This guide explains how to securely fetch a self-signed or internal TLS certificate from your Gluu server (gluu.mslspartners.com), import it into the Java truststore, and restart Gluu services to establish trusted HTTPS communication internally.

๐Ÿงฐ Prerequisites

    ๐Ÿง‘โ€๐Ÿ’ป Root or sudo access to the Gluu server ๐ŸŒ Domain name of your Gluu server: gluu.mslspartners.com ๐Ÿ”‘ Java truststore password (default: changeitย or custom) ๐Ÿ“ฆ Installed tools: openssl, keytool, awk

    ๐Ÿš€ Step-by-Step Instructions

    1๏ธโƒฃ Create a Script File

    nano /root/import-gluu-cert.sh

    2๏ธโƒฃ Paste the Script Below

    #!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "๐Ÿ” Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "โŒ Failed to retrieve certificate."
  exit 1
fi

echo "๐Ÿ—‘๏ธ Removing old certificate (if it exists)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "โž• Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "๐Ÿ” Restarting Gluu services..."
/root/restart-gluu.sh

echo "โœ… Import complete!"

    3๏ธโƒฃ Make the Script Executable

    chmod +x /root/import-gluu-cert.sh

    4๏ธโƒฃ Run the Script

    /root/import-gluu-cert.sh

    ๐Ÿ” Verifying Certificate Import

    ๐Ÿ“„ Check Certificate in Truststore:

    keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

    ๐Ÿ” Confirm Active Truststore:

    /opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

    ๐Ÿ“† Check Issuer and Subject:

    openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

    ๐Ÿ›  Troubleshooting

      โ— Trust path errors:ย Ensure the full certificate chain is present in gluu-full-chain.crt. ๐Ÿ“ Missing file?ย Double-check /etc/certs/ย exists and is writable. ๐Ÿ”’ Permission denied?ย Make sure youโ€™re running commands as root. ๐Ÿ“œ Service won't restart?ย Check logs under /opt/gluu/jetty/<component>/logs/.

      ๐Ÿ“ Notes

        This method is tailored for internal/self-signed Gluu certificates. For public CA certificates, ensure the full chain is valid and trusted by your system. The script assumes a restart script exists at /root/restart-gluu.sh.
        Back to top