Configure JIRA over SSL with already issued certificate

s May 8, 2013

Hello,

I'm trying to follow https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS however I've already had the certificate issued previously (we are using a wildcard SSL). I have the original CSR file and can download the file in most formats from GoDaddy, but I'm unsure of what I need to do to get this configured.

I'm currently on Windows 2008 R2 using tomcat. I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

I have the certificate files from GoDaddy using Tomcat option. Files come with the bd_bundle.crt, bd_intermediate.crt, wildcard.crt. I've tried

"<jira-install-dir>\jre\bin\keytool" -import -alias tomcatCACert -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"
When using config.bat, I put in all the information:
Keystore Path: "<install_dir>\jre\lib\security\cacerts"
Keystore Password: <the password>
Key Alias: tomcatCACert 

I get the error "The private key could not be found in the key store"
I'm currently on Windows 2008 R2 using tomcat.  I originally was going to put this behind a load balancer that would handle the SSL traffic, but it appears JIRA needs to be configured as well.

6 answers

1 accepted

1 vote
Answer accepted
s March 2, 2014

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

3 votes
JiraYo
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 15, 2017


I think a more common format for keys is the PFX file. this is how i added it to jira webserver. Thanks very much for your advice here (other commentators) which connected the dots for me.

1.) get your already issued .pfx file and copy it to the java JRE/bin directory (for me this is C:\Program Files\Java\jre1.8.0_144\bin)

2.) Open a command prompt and navigate to the same directory (C:\Program Files\Java\jre1.8.0_144\bin)

3.) run the following command, substituting YOUR.CERTIFICATE.PFX for your key file name:

keytool -importkeystore -srckeystore YOUR.CERTIFICATE.PFX -destkeystore jira.jks -srcstoretype pkcs12

4.) Make sure all the passwords you are using match. It should report successfully after the above command is run.

5.) move the jira.jks file to the JIRA home directory (C:\Program Files\Atlassian\JIRA)

6.) Run the portecle program (http://portecle.sourceforge.net/) and open the jira.jks file above

7.) change the name on the certificate (its gets some GUID name in step 4 above...) using portecle. For me i use *.domain.ca. and save it. Any passwords should be the same as previous.

8.) Open the config.bat program to configure jira webserver. On the webserver tab, flip the profile to http and https and put the ports in that you want (i use 80 and 443). Make the keystore path to your jira.jks file. the password, the password you were using above, and the key alias the name of the alias changed in step 7

9.) check the certificate with the button and for me it all worked!

9a.) (if you are using jira version 7.3.x there is a bug that doesnt let you start the service until you change a line in server.xml REF: ( https://community.atlassian.com/t5/Jira-questions/JIRA-won-t-start-after-installing-and-configuring-SSL/qaq-p/639260 ) change protocol="org.apache.coyote.http11.Http11Protocol" to protocol="org.apache.coyote.http11.Http11NioProtocol"

10.) RESTART THE SERVER or the atlassin jira service.

Dzintars December 4, 2017

I found handy KeyStore Explorer instead of Portecle. You can import your cert files directly to keystore (.ks). As well you can create new keystores.
Also, nobody is telling about certificate Aliases. They are important and should match with your connector.

JiraYo
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 18, 2017

Just to add, i also am discovering now that you have to add a PEM file to the java keystore. otherwise there are errors in the logs and somethings do not work. The below document has to be done as well along with my steps above.

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html

well no one is claiming its easy i guess.

2 votes
s May 8, 2013

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

richie_gee
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 2, 2014

Hey there,

Thank you so much for sharing this information, do you mind to accept this answer so that it could benefits the community :)

0 votes
Dzintars March 15, 2019

Little update in 2019.
Recently i needed to reset whole system.
And... i did that basically in 30 minutes via using Traefik as edge proxy and Jira + Confluence Docker containers.
Now I have single docker-compose file, to spin them booth up with build-in Let's Encrypt support.
So... i would advice that you guys try to use Docker containers for Jira and Confluence. Probably it will be much more easier and you always will have single setup file to run when needed.

Chad Mercer September 30, 2019

That sounds super great!  Any chance you'd share your (anonymized) docker-compose files with the community?

0 votes
Kim Bennett March 2, 2014

Thanks - I ended up doing a number of steps:

1. I exported the cert and private key from MMC in Windows

2. I then extracted the private key and the cert key

3. I then followed the steps here http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

It generated an alias and I was able to use this to configure Jira over SSL.

Pani Baruri February 13, 2019

Hello 

 

I've been trying to install and configure SSL for JIRA and no luck in getting past this error.

 

I've followed the instructions and when I go into the JIRA configuration tool and Click on "Check Certificate in Key Store" I get the following error. 

"THE PRIVATE KEY COULD NOT BE FOUND IN THE KEY STORE"

 

I've used portecle and other tools to create and import this ssl certificate. What is that I'm missing? Please help.

 

Thanks

Terry Brooks June 13, 2019

Wrong Alias name.

Like Francesco R likes this
0 votes
Harry Chan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 8, 2013

Hi, have you tried setting the keystore type to match the format you're using?

If you're using Tomcat without APR enabled this is direct Java SSL and not OpenSSL. To use OpenSSL and OpenSSL style configuration instead you could enable APR.

I would advice creating your own keystore and experimenting with that rather than cacerts.

Suggest an answer

Log in or Sign up to answer