Confluence with a wildcard certificate

Mark Kilfoil May 15, 2013

We are running Confluence 4.3.7 with SSL on debian.

We are having trouble importing our new wildcard certificate using the provided tutorial here:

https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS

Have also tried the tutorial directly from digicert:

http://www.digicert.com/ssl-certificate-installation-tomcat.htm

The csr was not generated on the confluence box

Using both tutorials ends with "keytool error: java.lang.Exception: Input not an X.509 certificate"

3 answers

2 votes
Mark Kilfoil May 15, 2013

That didn't solve the problem either but I decided to go back and read over the errors I have recieved over the last day working on this and with some help from online articles then problem was my keystore password was different then my certificate password. SO I deleted the keystore, remade it with my cert password and everything imported and is now working.

keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore /root/.keystore -destalias server -srckeystore star.domain.com.pfx -srcstoretype PKCS12 -srcstorepass 123456

0 votes
Mark Kilfoil May 15, 2013

I can download multiple bundles for the certificates from digitcert I have tried importing a p7b bundle of all certs with a .cer extension unsuccessfully as well.

0 votes
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013

hey charles...

how was the cert file created?

Mark Kilfoil May 15, 2013

the csr was generated using the OpenSSL CSR Tool on the digicert site.

C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013
I see. Do you try to import the csr? Thats only the signing request file and not a certificate
Mark Kilfoil May 15, 2013

keytool -importcerts -alias server -file star_domain_com.p7b -keystore <keystore_name>

"keytool error: java.lang.Exception: Input not an X.509 certificate"

Mark Kilfoil May 15, 2013

sorry...didn't work.

Input not an X.509 certificate.

C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013

ok.

please run this on your box

openssl pkcs7 -chain -print_certs -in star_domain_com.p7b -out star_domain_com.cer

afterwards try importing the cer file.

let me know how it goes

please note: i am not 100% if this will work for you...but i remember not facing any issues using .cer or .crt files...so lets try converting this. don't worry your .p7b still be there.

C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013

ok i found another way...lets stick with the p7b

keytool -import -trustcacerts -alias server -file star_domain_com.p7b -keystore <keystore_name>

can you try thisone please?

ps: use comment
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013
Mark Kilfoil May 15, 2013

keytool -importcert -alias server -file star_domain.com.cer -keystore <keystore_name>

Enter keystore password:********

keytool error: java.lang.Exception: Input not an X.509 certificate

Mark Kilfoil May 15, 2013

attempting that now, will update you soon.

C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 15, 2013
Ok. But now it is in a new keystore in root/. You must tell tomcat which one to use now cause by default it is inside your confluence_dir/jre/security/lib/cacerts if i remember it right

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events