Configure JIRA over SSL with already issued certificate

Hello,

I'm trying to follow https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS however I've already had the certificate issued previously (we are using a wildcard SSL). I have the original CSR file and can download the file in most formats from GoDaddy, but I'm unsure of what I need to do to get this configured.

I'm currently on Windows 2008 R2 using tomcat. I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

I have the certificate files from GoDaddy using Tomcat option. Files come with the bd_bundle.crt, bd_intermediate.crt, wildcard.crt. I've tried

"<jira-install-dir>\jre\bin\keytool" -import -alias tomcatCACert -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"
When using config.bat, I put in all the information:
Keystore Path: "<install_dir>\jre\lib\security\cacerts"
Keystore Password: <the password>
Key Alias: tomcatCACert 

I get the error "The private key could not be found in the key store"
I'm currently on Windows 2008 R2 using tomcat.  I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

5 answers

1 accepted

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Richie Gee Atlassian Team Mar 02, 2014

Hey there,

Thank you so much for sharing this information, do you mind to accept this answer so that it could benefits the community :)

Hi, have you tried setting the keystore type to match the format you're using?

If you're using Tomcat without APR enabled this is direct Java SSL and not OpenSSL. To use OpenSSL and OpenSSL style configuration instead you could enable APR.

I would advice creating your own keystore and experimenting with that rather than cacerts.

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.


I think a more common format for keys is the PFX file. this is how i added it to jira webserver. Thanks very much for your advice here (other commentators) which connected the dots for me.

1.) get your already issued .pfx file and copy it to the java JRE/bin directory (for me this is C:\Program Files\Java\jre1.8.0_144\bin)

2.) Open a command prompt and navigate to the same directory (C:\Program Files\Java\jre1.8.0_144\bin)

3.) run the following command, substituting YOUR.CERTIFICATE.PFX for your key file name:

keytool -importkeystore -srckeystore YOUR.CERTIFICATE.PFX -destkeystore jira.jks -srcstoretype pkcs12

4.) Make sure all the passwords you are using match. It should report successfully after the above command is run.

5.) move the jira.jks file to the JIRA home directory (C:\Program Files\Atlassian\JIRA)

6.) Run the portecle program (http://portecle.sourceforge.net/) and open the jira.jks file above

7.) change the name on the certificate (its gets some GUID name in step 4 above...) using portecle. For me i use *.domain.ca. and save it. Any passwords should be the same as previous.

8.) Open the config.bat program to configure jira webserver. On the webserver tab, flip the profile to http and https and put the ports in that you want (i use 80 and 443). Make the keystore path to your jira.jks file. the password, the password you were using above, and the key alias the name of the alias changed in step 7

9.) check the certificate with the button and for me it all worked!

9a.) (if you are using jira version 7.3.x there is a bug that doesnt let you start the service until you change a line in server.xml REF: ( https://community.atlassian.com/t5/Jira-questions/JIRA-won-t-start-after-installing-and-configuring-SSL/qaq-p/639260 ) change protocol="org.apache.coyote.http11.Http11Protocol" to protocol="org.apache.coyote.http11.Http11NioProtocol"

10.) RESTART THE SERVER or the atlassin jira service.

I found handy KeyStore Explorer instead of Portecle. You can import your cert files directly to keystore (.ks). As well you can create new keystores.
Also, nobody is telling about certificate Aliases. They are important and should match with your connector.

Just to add, i also am discovering now that you have to add a PEM file to the java keystore. otherwise there are errors in the logs and somethings do not work. The below document has to be done as well along with my steps above.

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html

well no one is claiming its easy i guess.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,859 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot