Using a GeoTrust wildcard cert when the CSR/private key originated elsewhere?

I've been using a self-signed cert in our Confluence install, but we recently got a wildcard cert for our org and I want to use that instead.

I've see the GeoTrust instructions but they say you have to use the same keystore used to create your CSR and private key. That's not the case here since it's a generic wildcard cert that originated on another system.

I've tried various sets of generic instructions for importing private keys to a keystore but no success yet.

I was hoping someone else has done this and has some tips or a link to instructions that actually worked for you.

Thanks!

PS: I doubt it matters but our Confluence install is running on CentOS 7.

3 answers

1 accepted

1 vote
Accepted answer

If possible, I would highly recommend running Confluence behind a reverse proxy like Apache or nginx. My organization is using nginx (installed directly from the nginx repo as we are on CentOS 6), but as you're on CentOS 7 you could make use of Apache 2.4 if you wanted. SSL termination is much much easier in Apache or nginx than using the Java tools.

Here's documentation for Apache:

https://confluence.atlassian.com/display/DOC/Running+Confluence+behind+Apache

 

The tricky thing is that your connector needs to be updated correctly so that Tomcat writes correct URLs for the reverse proxy. Here's my connector for reference - really the important pieces are proxyName which needs to match the URL you're using, and port up at the top where nginx or Apache should be proxying traffic:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="HTTP/1.1"
                scheme="https"
                proxyName="wiki.domain.com"
                proxyPort="443"/>

Thanks, I am much more familiar with Apache config than this Tomcat/Java stuff so that looks doable. I'll give it a shot later today and let you know how it goes.

Daniel, this worked out just fine. I removed the SSL config from Confluence itself, re-enabled port 8090, firewalled that away from everyone but the loopback interface, and then set up the Apache proxy to respond on port 8443 instead. It took a little time to get just the right combination of settings but it did work and all appears well so far! *knock on wood* Thank you!

Is the reason behind importing the certificate so you can run Confluence on HTTPS?

Exactly... (and technically it's already running https, I just want to use our 'real' cert which was already created outside of the local keystore.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,125 views 17 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you