It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Configure JIRA over SSL with already issued certificate

Hello,

I'm trying to follow https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS however I've already had the certificate issued previously (we are using a wildcard SSL). I have the original CSR file and can download the file in most formats from GoDaddy, but I'm unsure of what I need to do to get this configured.

I'm currently on Windows 2008 R2 using tomcat. I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

I have the certificate files from GoDaddy using Tomcat option. Files come with the bd_bundle.crt, bd_intermediate.crt, wildcard.crt. I've tried

"<jira-install-dir>\jre\bin\keytool" -import -alias tomcatCACert -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"
When using config.bat, I put in all the information:
Keystore Path: "<install_dir>\jre\lib\security\cacerts"
Keystore Password: <the password>
Key Alias: tomcatCACert 

I get the error "The private key could not be found in the key store"
I'm currently on Windows 2008 R2 using tomcat.  I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

6 answers

1 accepted

0 votes
Answer accepted

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.


I think a more common format for keys is the PFX file. this is how i added it to jira webserver. Thanks very much for your advice here (other commentators) which connected the dots for me.

1.) get your already issued .pfx file and copy it to the java JRE/bin directory (for me this is C:\Program Files\Java\jre1.8.0_144\bin)

2.) Open a command prompt and navigate to the same directory (C:\Program Files\Java\jre1.8.0_144\bin)

3.) run the following command, substituting YOUR.CERTIFICATE.PFX for your key file name:

keytool -importkeystore -srckeystore YOUR.CERTIFICATE.PFX -destkeystore jira.jks -srcstoretype pkcs12

4.) Make sure all the passwords you are using match. It should report successfully after the above command is run.

5.) move the jira.jks file to the JIRA home directory (C:\Program Files\Atlassian\JIRA)

6.) Run the portecle program (http://portecle.sourceforge.net/) and open the jira.jks file above

7.) change the name on the certificate (its gets some GUID name in step 4 above...) using portecle. For me i use *.domain.ca. and save it. Any passwords should be the same as previous.

8.) Open the config.bat program to configure jira webserver. On the webserver tab, flip the profile to http and https and put the ports in that you want (i use 80 and 443). Make the keystore path to your jira.jks file. the password, the password you were using above, and the key alias the name of the alias changed in step 7

9.) check the certificate with the button and for me it all worked!

9a.) (if you are using jira version 7.3.x there is a bug that doesnt let you start the service until you change a line in server.xml REF: ( https://community.atlassian.com/t5/Jira-questions/JIRA-won-t-start-after-installing-and-configuring-SSL/qaq-p/639260 ) change protocol="org.apache.coyote.http11.Http11Protocol" to protocol="org.apache.coyote.http11.Http11NioProtocol"

10.) RESTART THE SERVER or the atlassin jira service.

I found handy KeyStore Explorer instead of Portecle. You can import your cert files directly to keystore (.ks). As well you can create new keystores.
Also, nobody is telling about certificate Aliases. They are important and should match with your connector.

Just to add, i also am discovering now that you have to add a PEM file to the java keystore. otherwise there are errors in the logs and somethings do not work. The below document has to be done as well along with my steps above.

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html

well no one is claiming its easy i guess.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Richie Gee Atlassian Team Mar 02, 2014

Hey there,

Thank you so much for sharing this information, do you mind to accept this answer so that it could benefits the community :)

Hi, have you tried setting the keystore type to match the format you're using?

If you're using Tomcat without APR enabled this is direct Java SSL and not OpenSSL. To use OpenSSL and OpenSSL style configuration instead you could enable APR.

I would advice creating your own keystore and experimenting with that rather than cacerts.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Hello 

 

I've been trying to install and configure SSL for JIRA and no luck in getting past this error.

 

I've followed the instructions and when I go into the JIRA configuration tool and Click on "Check Certificate in Key Store" I get the following error. 

"THE PRIVATE KEY COULD NOT BE FOUND IN THE KEY STORE"

 

I've used portecle and other tools to create and import this ssl certificate. What is that I'm missing? Please help.

 

Thanks

Wrong Alias name.

Little update in 2019.
Recently i needed to reset whole system.
And... i did that basically in 30 minutes via using Traefik as edge proxy and Jira + Confluence Docker containers.
Now I have single docker-compose file, to spin them booth up with build-in Let's Encrypt support.
So... i would advice that you guys try to use Docker containers for Jira and Confluence. Probably it will be much more easier and you always will have single setup file to run when needed.

That sounds super great!  Any chance you'd share your (anonymized) docker-compose files with the community?

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

Demo Den Ep. 7: New Jira Cloud Reports

Learn how to use two new reports for next-gen projects in Jira Cloud:  Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...

303 views 1 3
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you