Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SSL certificate is imported as a trustedCertEntry, tomcat is unable to start

Edited

Summary: I am trying to update the SSL certificate for our BitBucket server. I am seeing assistance installing the new ps7 certificate as a PrivateKey type on my keystore.

As per the instructions on confluence I created a local self-signed certificate on a  new keystore titled "bitbucket-keystore", using the following command: 

"%JAVA_HOME%\bin\keytool" -genkey -alias sc.phgic.com -keyalg RSA -sigalg SHA256withRSA -keystore <Bitbucket home>\shared\config\bitbucket-keystore

Next, I used the keytool to generate a CSR and submitted the CSR to our certificate authority (CA) for signing. 

After receiving the download link from the CA, I downloaded the SSL certificate in PKCS7 format, and ran the following command to install it on my keystore:

"%JAVA_HOME%\bin\keytool" -import -alias sc.phgic.com -file sc_phgic_com.p7s -keystore <Bitbucket home>\shared\config\bitbucket-keystore

The import appeared to be successful. I restarted the BitBucket service, but it failed to start. I discovered the following exception in the logs: java.io.IOException: Alias name [sc.phgic.com] does not identify a key entry

I searched the Knowledge Base and found this related issue:
https://confluence.atlassian.com/bitbucketserverkb/unable-to-start-tomcat-due-to-java-io-ioexception-alias-name-not-identifying-a-key-entry-943541751.html

Re: Cause #1, I confirmed the alias in the keystore matches the alias in our configuration file, and the keystore does contain this alias:

config.png

2020-07-08 12_26_29-tfserver - Remote Desktop Connection.png

So, I suspect the root problem is Cause #2 - entry type is trustedCertEntry instead of PrivateKey.

(I also tried installing the intermediate and server certificate as separate .cer files, and received the following error: Input not an X.509 certificate)

I would prefer to work with a single .p7s file; but, how can this be installed as a PrivateKey entry type rather than trustedCertEntry?

Is there possibly some other issue with the private key in my keystore preventing this certificate from being installed as the correct entry type?

1 answer

1 accepted

0 votes
Answer accepted

We ended up having our CA reissue our certificate using a CSR generated from IIS, and then exporting the new certificate as a pfx file with the private key from Windows Cert Manager, and finally, using the importkeystore keytool command to import the certificate into the existing keystore. We updated the config file, restarted BitBucket, and the site is now secure with the new certificate.

I don't know what was wrong with the original keystore that was used. But this alternative method of creating and managing the certificate is viable and easier.

How did you import the .pfx file?  Just import into the Windows Cert manager and re-export without the private key?    I like this idea, just not quite able to make this path work for me.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,926 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you