Problems changing SSL cert

Hey David,

First I'd love to steer you towards using nginx as a reverse proxy in front of your Atlassian applications. nginx can terminate SSL/TLS better and faster than Tomcat (the application server that Jira and Confluence use) as well as being easier to administer! We have some great guides to help you set this up for Confluence and for Jira.

It's great to hear that your friend was able to get this set up for you in Tomcat. The initial setup is daunting (steps here for reference) and can often result in trouble even when you're following the guide. We sometimes hear that working with the Java keytool is the hardest part of configuring a new Jira installation if you're going for SSL/TLS.

Luckily since you only need to update the certificate, we can cut down on some of the steps. I'm summarizing from this guide below. I'm also making the assumption that you're on Linux. If you're on Windows, let me know and I'll add separate instructions.

1. If the certificate you have isn't already in PKCS12 format, you'll need to convert it. For example, if you have a .cer and .key file or two .pem files, you'll need to convert to a single PKCS12 file. Here's the command to convert:
   
   

   openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out <keystorefile> -name tomcat -CAfile <cacertfile> -caname root

   
   Where:
   <certfile> is your public certificate (likely .cer or .pem)
   <keyfile> is your private key (likely .key - if it's .pem you'll need to open the files to figure out which is the public vs private key)
   <keystorefile> is the name of the new file you want to create
   <cacertfile> is the certificate chain for the CA you got your certificate from. You can usually get this by googling "<CA> trust chain" - for example "godaddy trust chain"
2. When you execute that command (assuming you needed to convert), you'll be asked to create a password for the new PKCS12 file. Our documentation suggests changeit since Tomcat expects that already and you're just going to import to Tomcat next.
3. Now you'll need to run the keytool command from Jira/Confluence's installation directory. This will be at <jira/confluence-install>/jre/bin - at this point changing your current directory to that folder would be ideal.
4. The command you'll need to run to actually import your fresh certificate file into the Java keystore is:
   

   keytool -importkeystore -deststorepass <keystorepass> -destkeypass <keystorepass> -destkeystore <tomcatkeystorefile> -srckeystore <keystorefile> -srcstoretype PKCS12 -srcstorepass <keystorepass> -alias tomcat

   swapping in:
   <keystorepass> the password from step 2 (changeit)
   <tomcatkeystorefile> path to Tomcat's keystore, try <JIRA_HOME>/jira.jks (put in the actual file path for Jira Home)
   <keystorefile> is your PKCS12 file from step 1
5. Make sure the server.xml file at <jira/confluence-install>/conf/server.xml contains a line that looks something like this in your active connector:
   

   keyAlias="jira" keystoreFile="<JIRA_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"

    

As you can see, just updating the certificate can be pretty involved and there's a lot of room for error. Let me know if you get stuck, but again I would strongly push for switching to nginx if you can make that happen.

Cheers,
Daniel