Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Confluence
Questions
Using CA signed certificate for Confluence

Using CA signed certificate for Confluence

Hello,

I'm new to confluence (I just heard about it Friday last week ) and I am tasked to install a CA signed certificate to confluence. I found to this guide https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html to be helpful. I just want to ask a few clarifications.

I already have the CA signed certificate already, (.cer file), should I just simply import this to the keystore and proceed with step 2 on the guide?

Thank you in advance for any response.

Best,

Renz

2 answers

0 votes

Hi,

So I was able to import my certificate to the keystore and gone through steps 2 3 and 4. However, when I tried to access https://confluence.mydomain.com:8443 its showing an error:

"ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

My server.xml looks like the one below.

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="mypassword"
keystoreFile="<C:\Program Files\Atlassian\Confluence\jre\lib\security\cacerts>"/>

Am I missing any steps here?

Any response will be much appreciated.

Thanks,

renz

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

It'd be better to ask this in a new Question rather than an Answer to your own original question. We'd need more information to help you also. Did you install your own certificate/key combo into the cacerts keystore? That seems weird.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Hello @Steven Behnke,

Thanks for your response. What I did was simply run the command below. Should I create a new keystore and import my certificate to the newly created keystore and have my server.xml points to the keystore path? Sorry for the noob question.

Thanks

C:\&gt;keytool –import –keystore ..\lib\security\cacerts –alias newcertificate –storepass changeit –noprompt –trustcacerts –file c:\new_certificate.crt

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Okay: The issue here is that you don't understand what you're really doing. Sorry for being so blunt. This isn't easy to explain without knowing more detail about your OS and system information. I'm familiar with the Linux process but the Windows process should be the same.

You need to pair the certificate and the key under an alias in a new keystore. This is how you secure your server! Your server's key PLUS your purchased certificate is your security! When you import your certificate, you need to make sure it trusts your CA Certs file, which you should have already added to or modified with the rest of the trust chain. Alternatively you should be able to import all of the chain into your new keystore, I think.

I don't think that adding all the certificates to the CA Certs file will work at all.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Yes, if you already have a signed certificate you can skip the self-signed certificate steps.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS