Using a GeoTrust wildcard cert when the CSR/private key originated elsewhere?

nelson_d July 22, 2015

I've been using a self-signed cert in our Confluence install, but we recently got a wildcard cert for our org and I want to use that instead.

I've see the GeoTrust instructions but they say you have to use the same keystore used to create your CSR and private key. That's not the case here since it's a generic wildcard cert that originated on another system.

I've tried various sets of generic instructions for importing private keys to a keystore but no success yet.

I was hoping someone else has done this and has some tips or a link to instructions that actually worked for you.

Thanks!

PS: I doubt it matters but our Confluence install is running on CentOS 7.

3 answers

1 accepted

1 vote
Answer accepted
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 22, 2015

If possible, I would highly recommend running Confluence behind a reverse proxy like Apache or nginx. My organization is using nginx (installed directly from the nginx repo as we are on CentOS 6), but as you're on CentOS 7 you could make use of Apache 2.4 if you wanted. SSL termination is much much easier in Apache or nginx than using the Java tools.

Here's documentation for Apache:

https://confluence.atlassian.com/display/DOC/Running+Confluence+behind+Apache

 

The tricky thing is that your connector needs to be updated correctly so that Tomcat writes correct URLs for the reverse proxy. Here's my connector for reference - really the important pieces are proxyName which needs to match the URL you're using, and port up at the top where nginx or Apache should be proxying traffic:

<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
                maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="HTTP/1.1"
                scheme="https"
                proxyName="wiki.domain.com"
                proxyPort="443"/>
nelson_d July 22, 2015

Thanks, I am much more familiar with Apache config than this Tomcat/Java stuff so that looks doable. I'll give it a shot later today and let you know how it goes.

nelson_d July 23, 2015

Daniel, this worked out just fine. I removed the SSL config from Confluence itself, re-enabled port 8090, firewalled that away from everyone but the loopback interface, and then set up the Apache proxy to respond on port 8443 instead. It took a little time to get just the right combination of settings but it did work and all appears well so far! *knock on wood* Thank you!

0 votes
nelson_d July 22, 2015

Exactly... (and technically it's already running https, I just want to use our 'real' cert which was already created outside of the local keystore.

0 votes
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 22, 2015

Is the reason behind importing the certificate so you can run Confluence on HTTPS?

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events