Configure JIRA over SSL with already issued certificate

Hello,

I'm trying to follow https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS however I've already had the certificate issued previously (we are using a wildcard SSL). I have the original CSR file and can download the file in most formats from GoDaddy, but I'm unsure of what I need to do to get this configured.

I'm currently on Windows 2008 R2 using tomcat. I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

I have the certificate files from GoDaddy using Tomcat option. Files come with the bd_bundle.crt, bd_intermediate.crt, wildcard.crt. I've tried

"<jira-install-dir>\jre\bin\keytool" -import -alias tomcatCACert -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"
When using config.bat, I put in all the information:
Keystore Path: "<install_dir>\jre\lib\security\cacerts"
Keystore Password: <the password>
Key Alias: tomcatCACert 

I get the error "The private key could not be found in the key store"
I'm currently on Windows 2008 R2 using tomcat.  I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

5 answers

1 accepted

This widget could not be displayed.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

This widget could not be displayed.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Richie Gee Atlassian Team Mar 02, 2014

Hey there,

Thank you so much for sharing this information, do you mind to accept this answer so that it could benefits the community :)

This widget could not be displayed.


I think a more common format for keys is the PFX file. this is how i added it to jira webserver. Thanks very much for your advice here (other commentators) which connected the dots for me.

1.) get your already issued .pfx file and copy it to the java JRE/bin directory (for me this is C:\Program Files\Java\jre1.8.0_144\bin)

2.) Open a command prompt and navigate to the same directory (C:\Program Files\Java\jre1.8.0_144\bin)

3.) run the following command, substituting YOUR.CERTIFICATE.PFX for your key file name:

keytool -importkeystore -srckeystore YOUR.CERTIFICATE.PFX -destkeystore jira.jks -srcstoretype pkcs12

4.) Make sure all the passwords you are using match. It should report successfully after the above command is run.

5.) move the jira.jks file to the JIRA home directory (C:\Program Files\Atlassian\JIRA)

6.) Run the portecle program (http://portecle.sourceforge.net/) and open the jira.jks file above

7.) change the name on the certificate (its gets some GUID name in step 4 above...) using portecle. For me i use *.domain.ca. and save it. Any passwords should be the same as previous.

8.) Open the config.bat program to configure jira webserver. On the webserver tab, flip the profile to http and https and put the ports in that you want (i use 80 and 443). Make the keystore path to your jira.jks file. the password, the password you were using above, and the key alias the name of the alias changed in step 7

9.) check the certificate with the button and for me it all worked!

9a.) (if you are using jira version 7.3.x there is a bug that doesnt let you start the service until you change a line in server.xml REF: ( https://community.atlassian.com/t5/Jira-questions/JIRA-won-t-start-after-installing-and-configuring-SSL/qaq-p/639260 ) change protocol="org.apache.coyote.http11.Http11Protocol" to protocol="org.apache.coyote.http11.Http11NioProtocol"

10.) RESTART THE SERVER or the atlassin jira service.

I found handy KeyStore Explorer instead of Portecle. You can import your cert files directly to keystore (.ks). As well you can create new keystores.
Also, nobody is telling about certificate Aliases. They are important and should match with your connector.

Just to add, i also am discovering now that you have to add a PEM file to the java keystore. otherwise there are errors in the logs and somethings do not work. The below document has to be done as well along with my steps above.

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html

well no one is claiming its easy i guess.

This widget could not be displayed.

Hi, have you tried setting the keystore type to match the format you're using?

If you're using Tomcat without APR enabled this is direct Java SSL and not OpenSSL. To use OpenSSL and OpenSSL style configuration instead you could enable APR.

I would advice creating your own keystore and experimenting with that rather than cacerts.

This widget could not be displayed.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

115 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you