Configure HTTPS (SSL) using Windows cert store

In %BITBUCKET_HOME%\shared\bitbucket.properties set the following configuration:

server.additional-connector.1.port=443
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=
server.additional-connector.1.ssl.key-store-password=
server.additional-connector.1.ssl.key-store-type=Windows-My
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-alias=<friendly-name-or-CN>

If you want to run on 443 and have people just type in https://bitbucket.domain.com you really should do this using a reverse proxy server.  In order for Tomcat to bind to TCP:443, it will need to be run as Administrator user (or with equivalent permissions.) That creates a attack vector in the event that someone exploits a Java vulnerability. This could lead to the attacker being able to take over the whole server, since they would be breaking in as Administrator user.

Best practice is to use a reverse proxy server, which will have the smarts to start and bind to the privileged 443 port, then spawn children running as unprivileged users. This also allows you to continue running Tomcat on an unprivileged high port and run as an unprivileged user.  If an attacker manages to take over the Java process, they will only have as much permissions to do damage as the user Bitbucket runs as.  

This also makes management of the certificates easier. When your SSL certs expire, you simply drop the new ones in to the correct directory, update the config file to use the new certs and restart the proxy. Managing certs in Tomcat requires an application restart.

Atlassian has docs on how to set up Apache, but the process is similar for other reverse proxy servers such as IIS, nginx, etc.