I've read plenty but i'm still very confused about the server certificate concept.
At what stage does it turn a glassfish server from HTTP to HTTPS and how?
I know how to create a certificate with keytool, but what happens to it after that? I read something about associating the certificate with a JAR file? What? Surely a certificate should belong to a server?
I'm using glassfish and netbeans.
Thanks for clearing up my confusion if you can!
There's two different things happening here.
In order to use SSL for anything (SMTP, HTTP, IMAP, etc.) you need a public and private key.
The private key is stored on the server and the public key is made available to the world to allow data to be encrypted in such a form that the private key can decode it.
The distribution of the public key is accomplished via sending it during the SSL negotiation1 - this is an insecure approach vulnerable to MITM attacks.
An SSL certificate is a signature of the SSL public key by a third party that is trusted - the third party is responsible for authenticating the identify of the public key.
A self-signed certificate is generally used for testing and is still vulnerable to MITM. Using it is like presenting only a letter to your bank written by you and signed by you to verify your identity.
This is the part where you tell your service to actually use that keypair and certificate. Beyond the scope of this answer, but hopefully you understand SSL now :)
1: Though some cool things could be done now that DNSSEC is being implemented - we could put HTTPS certificates into TXT records or the like.
