Skip to main content

Gluu Server CE Cert import

🎯 Purpose

This guide outlines the process to securely log into the Gluu Server virtual machine (VM), retrieve the Gluu server's TLS certificate, import it into the Java truststore, and restart services to enable trusted internal HTTPS communication.

πŸ” Logging into the Gluu VM

  1. πŸ–₯️ Open a terminal or SSH client on your admin machine.
  2. πŸ”Œ Connect to your Gluu Server via SSH: 
    ssh root@your-gluu-server-ip
  3. πŸ’‘ If Gluu is running locally (e.g., in Proxmox/XCP-ng), log in via the hypervisor console directly as root.

🧰 Prerequisites

  • Root or sudo access to the Gluu VM
  • Domain name of Gluu: gluu.mslspartners.com
  • Java truststore password (default: changeit or custom)
  • Tools: openssl, keytool, awk

πŸš€ Step-by-Step Instructions

1️⃣ Create the Script

nano /root/import-gluu-cert.sh

2️⃣ Paste the Script Below

#!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "πŸ” Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "❌ Failed to retrieve certificate."
  exit 1
fi

echo "πŸ—‘οΈ Removing old certificate (if any)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "βž• Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "πŸ” Restarting Gluu services..."
/root/restart-gluu.sh

echo "βœ… Import and restart complete!"

3️⃣ Make the Script Executable

chmod +x /root/import-gluu-cert.sh

4️⃣ Run the Script

/root/import-gluu-cert.sh

πŸ” Verifying Certificate Import

🧾 Check Truststore Entry:

keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

πŸ”’ Check Active Truststore in Java:

/opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

πŸ“› Confirm Issuer/Subject:

openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

πŸ›  Troubleshooting

  • ❗ SSL Errors: Usually mean the cert isn't trusted. Double-check import step.
  • πŸ”’ Permission Denied: Ensure you're running as root.
  • 🧱 Service Not Restarting: Review logs in /opt/gluu/jetty/<app>/logs/.

πŸ“˜ Notes

  • This guide is for internal/self-signed Gluu certificates.
  • Public CA certs usually don’t require this step unless using a non-standard CA.
  • The script assumes a restart script exists at /root/restart-gluu.sh.
Back to top