How do I apply an existing wildcard SSL cert for Jira?

I have attempted to follow several articles related to applying an existing wildcard SSL certificate to Jira and have been unsuccessful on each attempt.  Whether it's using keytool, config.bat, editing the server.xml file, etc..nothing is working.  

We have an existing wildcard cert that we would like to apply to Jira, can someone please assist?  

Thank You!

EC

1 answer

0 votes
Josh Steckler Community Champion Aug 01, 2017

The best way to use SSL is with an web proxy in front of JIRA. But as long as you have the private key for your wildcart certificate and the root ca cert, you can import these into a new keystore. This page seems to explain it well by using openssl before using keytool. https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html

After that, you can configure your server.xml to point to that keystore using the regular instructions.

TY.  I have tried the method mentioned and will try it again tomorrow morning.  My complaint is really with the way the process is structured, in that there are more than few assumptions, it states about 3 times the word "assume". 

 Any reason this process is not well documented somewhere?  It seems as though the resources for this are all over the place.  I am currently documenting the process and will share all my information once complete, but I do find this process unnecessarily difficult.

Josh Steckler Community Champion Aug 01, 2017

I agree that the Proxy/HTTPS documentation could use improvement, and that there are a lot of assumptions about both the environment and the administrator. But there are also lots of different ways to set this up. It has improved over the past few revisions.

I would also think about looking into a proxy as SSL termination would be handled better by the proxy rather than tomcat. Post again here if you have other issues getting https enabled, and if this works don't forget to hit the "accept as solution" button!

-Josh

Ill let you know by tomorrow if it works.  TY!

Regarding the prerequisites on the site that you listed, I have a .crt and .pem file, a keystore, and openssl. What file is needed for the CAFile parameter.
So I have a few questions about the command in the link you have provided:

openssl pkcs12 -export -in host.crt -inkey host.crt.pem -out sslcert.jks -name tomcat -CAfile <What and Where is this file?> -caname root

I did some research on this parameter but did not see any concrete working example, or great explanations.

OpenSSL - Command Line Utilities
https://wiki.openssl.org/index.php/Command_Line_Utilities

When I attempt to run the command I get "unable to load private key"

Im not frustrated, just wondering why this process has to be so difficult. I have installed and configured SSL certs, as well as custom development for identity services, and I find this process to be all over the place.

@Josh Steckler Would you have time to help me out on this.  I've tried about 10 different methods and still have yet to get this to work. 

Any assistance is appreciated.  TY!

Josh Steckler Community Champion Aug 07, 2017

You need to find your Certificate Authority root certificate and any intermediate certs. You can email me:

firstname_lastname at bose .com

just sent you a test email please let me know if you got it

Josh Steckler Community Champion Aug 07, 2017

Nope. Don't make the subject just "test" - spam filter doesn't like that.

 

Made an image of it: me.png

just sent another email let me know if you've received it. 

@Josh Steckler Just wanted to let you know that I was able to get this going.  I have the process documented, and its actually not as bad as I thought.  Took some time to understand keystores a little more, as well as keeping my eyes on the logs.  

Just wanted to thank you for your time, I really appreciated that you took some time out of your day to help me out.  I will post the entire process on a blog real soon.  

Suggest an answer

Log in or Join to answer
Community showcase
Teodora [Botron]
Published Thursday in Marketplace Apps

Jira Inferno: The Nine Circles of Jira Administration Hell

If you spend enough time as a Jira admin - whether you are managing a single, mid-sized instance, a large enterprise one or juggling multiple instances at once - you will eventually find yourself in ...

591 views 2 15
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot