Gluu Server CE Cert import

🎯 Purpose

This guide ~~explains~~outlines ~~how~~the process to securely ~~fetch~~log ainto ~~self-signed~~the orGluu ~~internal~~Server virtual machine (VM), retrieve the Gluu server's TLS ~~certificate from your Gluu server (~~gluu.mslspartners.com),certificate, import it into the Java truststore, and restart ~~Gluu~~ services to ~~establish~~enable trusted internal HTTPS ~~communication~~communication.

~~internally.~~

🔐 Logging into the Gluu VM

🖥️ Open a terminal or SSH client on your admin machine.

🔌 Connect to your Gluu Server via SSH:
```
ssh root@your-gluu-server-ip
```

💡 If Gluu is running locally (e.g., in Proxmox/XCP-ng), log in via the hypervisor console directly as root.

🧰 Prerequisites

~~🧑‍💻~~ Root or sudo access to the Gluu ~~server~~VM
🌐 Domain name of ~~your Gluu server:~~Gluu: gluu.mslspartners.com
🔑 Java truststore password (default: changeit or custom)
~~📦 Installed tools:~~Tools: openssl, keytool, awk

🚀 Step-by-Step Instructions

1️⃣ Create athe Script File

nano /root/import-gluu-cert.sh

2️⃣ Paste the Script Below

#!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "🔐 Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "❌ Failed to retrieve certificate."
  exit 1
fi

echo "🗑️ Removing old certificate (if it exists)any)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "➕ Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "🔁 Restarting Gluu services..."
/root/restart-gluu.sh

echo "✅ Import and restart complete!"

3️⃣ Make the Script Executable

chmod +x /root/import-gluu-cert.sh

4️⃣ Run the Script

/root/import-gluu-cert.sh

🔍 Verifying Certificate Import

📄🧾 Check CertificateTruststore in Truststore:Entry:

keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

🔐🔒 ConfirmCheck Active Truststore:Truststore in Java:

/opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

📆📛 CheckConfirm Issuer and Issuer/Subject:

openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

🛠 Troubleshooting

❗ ~~Trust~~SSL ~~path errors:~~Errors: ~~Ensure~~Usually mean the ~~full~~cert ~~certificate~~isn't ~~chain is present in~~ gluu-full-chain.crt.

📁 ~~Missing file?~~trusted. Double-check /etc/certs/import ~~exists and is writable.~~step.
🔒 Permission ~~denied?~~Denied: ~~Make~~Ensure ~~sure you’~~you're running ~~commands~~ as root.
📜🧱 Service ~~won't~~Not ~~restart?~~Restarting: ~~Check~~Review logs ~~under~~in /opt/gluu/jetty/<componentapp>/logs/.

📝📘 Notes

This ~~method~~guide is ~~tailored~~ for internal/self-signed Gluu ~~certificates~~.certificates.
~~For public~~Public CA ~~certificates,~~certs ~~ensure~~usually ~~the~~don’t ~~full~~require ~~chain~~this isstep ~~valid~~unless ~~and~~using ~~trusted~~a bynon-standard ~~your system.~~CA.
The script assumes a restart script exists at /root/restart-gluu.sh.