Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to configure SSL certificate for LDAPS with Microsoft Active Directory (User Directory)


Currently, we use Microsoft Active Directory - Delegated LDAP Authentication as a user directory with BitBucket.

Operations department want me to switch from LDAP to LDAPS and port 636 enabling SSL.

We run BitBucket server on Windows server.

The description I found is here:

It is not complete when it comes to the "Use SSL" option. Use SSL says: "... Note that you will need to configure an SSL certificate in order to use this setting."

It would be better with a step - by - step guideline on how to do it.

I guess I need to import some certificate into a certificate store available to BitBucket. But i can not find the details on this, even I have tried different searches on Google.


Owe Kristiansen

2 answers

2 accepted

1 vote
Answer accepted

Hi Owe,

I believe first you must ask for the public part of your LDAP certificate. Then, you have to add it to the truste store used by the JVM which is in charge of running Bitbucket (you can find the complete rute if navigate to Administration >> Atlassian Support Tools >> System Information >> java.home

Supposing your configuration is the following:

java.home = /opt/atlassian/bitbucket/jre
Certificate = YOURCOMPANY.COM.crt

You must to run the following command:

sudo /opt/atlassian/bitbucket/jre/bin/keytool -import -trustcacerts
-keystore /opt/atlassian/bitbucket/jr/lib/security/cacerts
-storepass changeit -noprompt -alias -file

And then restart the Bitbucket Application...

You may find the following exception within the Bitbucket logs while trying to connect to your Secure LDAP, if the configuration is NOT correct: PKIX path building failed: unable to find valid certification path to requested target


Kind regards

@Jack Nolddor -Sweet Bananas- Thank you for quick reply. I guess your answer will do the trick. I have requested internally the neccessary certificate and the LDAP FQDN. 

Let's wait until you add it to the related cacerts file and restart the application to see if it solves your problem



Hi again, and thank you for using your time on me.

Today I got response from operations department that our main internal domain ( responds to LDAPS.

When I tried to use the address in bitbucket with ssl it complained that there was no subject alternative name for

Connection test failed. Response from the server:
simple bind failed: **********.com:636 [Root exception is No subject alternative DNS name matching **********.com found.]

I guess this means that the certificate presented lacks alternate dns name.

In addition the SSL certificate I get back is from different server each time. There are a range of various servers responding with its server dns names. Like, and so on. This does not match the LDAPS adress

The certificates returned I am able to verify with openssl command. They have a certificate chain with two intermediate certificates and then same root CA certificate. Does this mean I need to add all three certificates with your example command?

In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder.

The operations department tell me that I should add trust on the root certificate and the two intermediate certificates. I would expect that the server certificates should have alternate dns name like (Which probably should be instead)

A lot of details here, and more complicated than expected as our setup is more complex than I expected. If you still know what advice will bring me on track, i will be very grateful.

Hi again Owe, I believe that if you add to the Bitbucket's certificate store the Root CA all certificates signed by this CA will be trusted. So it worth to try to add the RootCA using the command I provided above, then restart and see the results.



Hi, after reconfiguration and restart service we still get this error:

Connection test failed. Response from the server:
simple bind failed: ********.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: **********:636 [Root exception is No subject alternative DNS name matching ********.com found.]

I'm trying to implement this too and I'm confused by this "In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder"


In which certificate store do I need to add the certificate?, I know where the Java store is but I don't know where the bitbucket store is located.


It will be nice to have a step-by-step documentation about this.

PS: we are running bitbucket on windows server, so I'm not familiar with some linux commands.

Our bitbucket config file ( [DRIVE]:\STASH_DATA\shared\ contains this line: 


That is related to the BitBucket SSL setup, and it confuses me if this overrides the config on java.home = /opt/atlassian/bitbucket/jre

@Jack Nolddor _ Sweet Bananas I guess your answer was correct, but it did not work out for me. I therefore wrote what I did to solve my problem. I see that the page I asked about still has too litle information about this. Thanks for helping out. Regards Owe 

0 votes
Answer accepted

At last we disabled the certificate checks on the user running the BitBucket service by logging into the bitbucket user account on the server and setting the following environment user variable:

JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification -Djdk.tls.trustNameService=true"

Not an ideal solution, but this is internal communication, and at least we get LDAPS with HTTPS up and running for now. 

Jack's answer worked for us. You have to specifically add the certificate (that is used for LDAP) into the 'cacerts' keystore which is part of your java installation that is used for your Bitbucket instance for example: C:\Java\jre\lib\security\cacerts <-- keystore file.

Also make sure to set the -alias as the name of the CA maybe that will help your DNS issue.

The command that Jack provided works perfectly if you alter it to suit your set up.. we had spent some time looking at the Bitbucket ssl-keystore thinking it needed to go in there but that is only used for the https web interface it seems.

Ok @Rick Spano

Since we had a load balanced setup with several LDAPS servers behind the DNS alias, we decided to not add all the server certificates, but trust the name service instead.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

📣 Calling Bitbucket Data Center customers to participate in research

Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...

218 views 2 5
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you