How do I apply an existing wildcard SSL cert for Jira?

Eric Criniere August 1, 2017

I have attempted to follow several articles related to applying an existing wildcard SSL certificate to Jira and have been unsuccessful on each attempt.  Whether it's using keytool, config.bat, editing the server.xml file, etc..nothing is working.  

We have an existing wildcard cert that we would like to apply to Jira, can someone please assist?  

Thank You!

EC

2 answers

0 votes
Kevin L September 26, 2019

i got this to work but how do you import the intermediate certs?  thanks

0 votes
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 1, 2017

The best way to use SSL is with an web proxy in front of JIRA. But as long as you have the private key for your wildcart certificate and the root ca cert, you can import these into a new keystore. This page seems to explain it well by using openssl before using keytool. https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html

After that, you can configure your server.xml to point to that keystore using the regular instructions.

Eric Criniere August 1, 2017

TY.  I have tried the method mentioned and will try it again tomorrow morning.  My complaint is really with the way the process is structured, in that there are more than few assumptions, it states about 3 times the word "assume". 

 Any reason this process is not well documented somewhere?  It seems as though the resources for this are all over the place.  I am currently documenting the process and will share all my information once complete, but I do find this process unnecessarily difficult.

josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 1, 2017

I agree that the Proxy/HTTPS documentation could use improvement, and that there are a lot of assumptions about both the environment and the administrator. But there are also lots of different ways to set this up. It has improved over the past few revisions.

I would also think about looking into a proxy as SSL termination would be handled better by the proxy rather than tomcat. Post again here if you have other issues getting https enabled, and if this works don't forget to hit the "accept as solution" button!

-Josh

Eric Criniere August 1, 2017

Ill let you know by tomorrow if it works.  TY!

Eric Criniere August 4, 2017

Regarding the prerequisites on the site that you listed, I have a .crt and .pem file, a keystore, and openssl. What file is needed for the CAFile parameter.
So I have a few questions about the command in the link you have provided:

openssl pkcs12 -export -in host.crt -inkey host.crt.pem -out sslcert.jks -name tomcat -CAfile <What and Where is this file?> -caname root

I did some research on this parameter but did not see any concrete working example, or great explanations.

OpenSSL - Command Line Utilities
https://wiki.openssl.org/index.php/Command_Line_Utilities

When I attempt to run the command I get "unable to load private key"

Im not frustrated, just wondering why this process has to be so difficult. I have installed and configured SSL certs, as well as custom development for identity services, and I find this process to be all over the place.

Eric Criniere August 7, 2017

@josh Would you have time to help me out on this.  I've tried about 10 different methods and still have yet to get this to work. 

Any assistance is appreciated.  TY!

josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2017

You need to find your Certificate Authority root certificate and any intermediate certs. You can email me:

firstname_lastname at bose .com

Eric Criniere August 7, 2017

just sent you a test email please let me know if you got it

josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2017

Nope. Don't make the subject just "test" - spam filter doesn't like that.

 

Made an image of it: me.png

Eric Criniere August 7, 2017

just sent another email let me know if you've received it. 

Eric Criniere August 14, 2017

@josh Just wanted to let you know that I was able to get this going.  I have the process documented, and its actually not as bad as I thought.  Took some time to understand keystores a little more, as well as keeping my eyes on the logs.  

Just wanted to thank you for your time, I really appreciated that you took some time out of your day to help me out.  I will post the entire process on a blog real soon.  

Janio Andre Gutierrez March 20, 2018

Hello @Eric Criniere,

I have the same problem that you talk in this post. Can you share your process ?

I tried several methods and I still have the same problem.

Do not hesitate if you have any questions.

Thanks

Eric Criniere March 20, 2018

Here are some of the steps of what I did to get it working:
* wilcard exported as a .pfx with private key as exportable

* Created a java keystore

* Merge .pfx and java keystore using the command below:

** keytool -importkeystore -srckeystore "<.pfx location>" -srcstoretype pkcs12 -srcalias "<{d71...}>" -destkeystore "<tomcat-keystore.jks>" -deststoretype jks -deststorepass "< java keystore pw>" -destalias tomcat -srcstorepass "pfx store pw"

* Update server.xml with the java keystore information

My issues with this approach is that the password in the server.xml is not encrypted.

Like # people like this
Janio Andre Gutierrez March 20, 2018

Thank you, il will try it.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events