How do I apply an existing wildcard SSL cert for Jira?

I have attempted to follow several articles related to applying an existing wildcard SSL certificate to Jira and have been unsuccessful on each attempt.  Whether it's using keytool, config.bat, editing the server.xml file, etc..nothing is working.  

We have an existing wildcard cert that we would like to apply to Jira, can someone please assist?  

Thank You!

EC

1 answer

0 vote
Josh Steckler Community Champion Aug 01, 2017

The best way to use SSL is with an web proxy in front of JIRA. But as long as you have the private key for your wildcart certificate and the root ca cert, you can import these into a new keystore. This page seems to explain it well by using openssl before using keytool. https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html

After that, you can configure your server.xml to point to that keystore using the regular instructions.

TY.  I have tried the method mentioned and will try it again tomorrow morning.  My complaint is really with the way the process is structured, in that there are more than few assumptions, it states about 3 times the word "assume". 

 Any reason this process is not well documented somewhere?  It seems as though the resources for this are all over the place.  I am currently documenting the process and will share all my information once complete, but I do find this process unnecessarily difficult.

Josh Steckler Community Champion Aug 01, 2017

I agree that the Proxy/HTTPS documentation could use improvement, and that there are a lot of assumptions about both the environment and the administrator. But there are also lots of different ways to set this up. It has improved over the past few revisions.

I would also think about looking into a proxy as SSL termination would be handled better by the proxy rather than tomcat. Post again here if you have other issues getting https enabled, and if this works don't forget to hit the "accept as solution" button!

-Josh

Ill let you know by tomorrow if it works.  TY!

Regarding the prerequisites on the site that you listed, I have a .crt and .pem file, a keystore, and openssl. What file is needed for the CAFile parameter.
So I have a few questions about the command in the link you have provided:

openssl pkcs12 -export -in host.crt -inkey host.crt.pem -out sslcert.jks -name tomcat -CAfile <What and Where is this file?> -caname root

I did some research on this parameter but did not see any concrete working example, or great explanations.

OpenSSL - Command Line Utilities
https://wiki.openssl.org/index.php/Command_Line_Utilities

When I attempt to run the command I get "unable to load private key"

Im not frustrated, just wondering why this process has to be so difficult. I have installed and configured SSL certs, as well as custom development for identity services, and I find this process to be all over the place.

@Josh Steckler Would you have time to help me out on this.  I've tried about 10 different methods and still have yet to get this to work. 

Any assistance is appreciated.  TY!

Josh Steckler Community Champion Aug 07, 2017

You need to find your Certificate Authority root certificate and any intermediate certs. You can email me:

firstname_lastname at bose .com

just sent you a test email please let me know if you got it

Josh Steckler Community Champion Aug 07, 2017

Nope. Don't make the subject just "test" - spam filter doesn't like that.

 

Made an image of it: me.png

just sent another email let me know if you've received it. 

@Josh Steckler Just wanted to let you know that I was able to get this going.  I have the process documented, and its actually not as bad as I thought.  Took some time to understand keystores a little more, as well as keeping my eyes on the logs.  

Just wanted to thank you for your time, I really appreciated that you took some time out of your day to help me out.  I will post the entire process on a blog real soon.  

Hello @Eric Criniere,

I have the same problem that you talk in this post. Can you share your process ?

I tried several methods and I still have the same problem.

Do not hesitate if you have any questions.

Thanks

Here are some of the steps of what I did to get it working:
* wilcard exported as a .pfx with private key as exportable

* Created a java keystore

* Merge .pfx and java keystore using the command below:

** keytool -importkeystore -srckeystore "<.pfx location>" -srcstoretype pkcs12 -srcalias "<{d71...}>" -destkeystore "<tomcat-keystore.jks>" -deststoretype jks -deststorepass "< java keystore pw>" -destalias tomcat -srcstorepass "pfx store pw"

* Update server.xml with the java keystore information

My issues with this approach is that the password in the server.xml is not encrypted.

Thank you, il will try it.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Jun 14, 2018 in Jira Service Desk

How the Telegram Integration for Jira helps Sergey's team take their support efficiency to the bank

...+ reading Fantasy). The same is true for him at the bank he works for: Efficiency is key when time literally equals money. Read on to learn how Sergey makes most of the time he has by...

795 views 5 7
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you