Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Installing a new Wildcard SSL Certificate on an existing Confluence Server

Jonathan Roundy
Jonathan Roundy
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 2, 2015

So, we are currently running a Confluence Server and the certificate has expired.  It was using a certificate specific to the url.  Since that time we have obtained a wildcard certificate and would like to install that on Confluence.  There are steps for configuring Confluence to use SSL, however as a "novice" I can't determine what parts apply to "replacing" a certificate.  We have the certificate already and we know the password assigned to it.

  1. We don't need to generate an CSR do we?
  2. https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html is the article that we are looking at.
  3. Do we have to create a self signed certificate in our scenario?
  4. In the section below from the instructions is the CN the hostname/ComputerName of the server, or the URL/Domain Name used for the confluence site, in our case they are not the same.

"Follow the prompts to specify your name, organisation and location. This information is used to construct the X.500 Distinguished Name (DN) of the entity. The CN ("What is your first and last name?") must match the fully-qualified hostname of the server running Confluence, otherwise Tomcat will not be able to use the certificate for SSL. For example for a Confluence running on a server named "confluence.example.com":
CN=confluence.example.com, OU=Java Software Division, O=Sun Microsystems Inc, C=US"

  1. Also in the comments section there is information about using a PKCS #12 file and only editing 3 lines of code.  Does this work?  Can I really just skip all of the other stuff and edit 3 lines in the server.xml file?

JR

Answer
Watch
Like Tim Evans likes this
7859 views

2 answers

1 vote
whodat
whodat
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 12, 2016

These commands worked for us on a .pfx exported from IIS (where the wildcard CSR was generated). Be sure to use the same passphrase for the keystore as that used to sign the CSR!

/opt/jdk1.8.0_45/jre/bin/keytool -importkeystore -srckeystore <your-wildcard-cert>.pfx -srcstoretype pkcs12 -destkeystore /home/confluence/.keystore

/opt/jdk1.8.0_45/jre/bin/keytool -import -trustcacerts -alias root -file QuoVadis_Root_CA_2.crt -keystore /home/confluence/.keystore

/opt/jdk1.8.0_45/jre/bin/keytool -import -trustcacerts -alias intermediate -file QuoVadis_Intermediate_Global_SSL_ICA_G2.crt -keystore /home/confluence/.keystore

 

View More Comments
Matthew Tebes
Matthew Tebes
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 8, 2021

You listed the name extensions for each step!!!! Life saver!!! I am working on how to change the password needed to access the CSR or PFX as we try not to use this password on web servers. If I figure it out I will post a follow up with the notes.

Thank you Simon thank you!!!!

Like
Reply
1 vote
Guilherme V.
Guilherme V.
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 2, 2015
Hey buddy!
  1. We don't need to generate an CSR do we?
    You don't need to create a new one, you can authenticate the same CSR with your C.A. Just don't forget to import it in the keystore.
  2. https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html is the article that we are looking at.
    Alright, that's the best documentation for it smile.
  3. Do we have to create a self signed certificate in our scenario
    There's no problem in creating a new certificate. But you'll have to authenticate it later with the C.A
  4. In the section below from the instructions is the CN the hostname/ComputerName of the server, or the URL/Domain Name used for the confluence site, in our case they are not the same.
    I've never tested with this scenario, but I think they need to be the same. Not sure sad
  5. Also in the comments section there is information about using a PKCS #12 file and only editing 3 lines of code.  Does this work?  Can I really just skip all of the other stuff and edit 3 lines in the server.xml file?
    That's only for GoDaddy and Verisign, so you're probably using one of them, right? Never tested the steps described by that user, but i noticed that it worked for some other customers. Test it in a staging instance before smile.
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events