Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problems with JKS and SSL

Kabouter Technology
Kabouter Technology
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 18, 2019

I am using Portecle to install a GoDaddy certificate into JIRA. I am using it to create a JKS file for the web server.

I issued the CSR o GoDaddy and got intermediate certs and the site cert back, I split the intermediate bundle as Portecle cannot import groups of certs, it needs them one at a time. 

I imported the CA Reply.

When I check the Certificate in the Key Store, it gives me the error:

"The private key could not be found in the key store"

I am following the guide here:

https://confluence.atlassian.com/adminjiraserver073/running-jira-applications-over-ssl-or-https-861253906.html

Do I need to somehow derive the private key from the .crt file? 

Answer
Watch
Like Be the first to like this
889 views

1 answer

1 vote
Dave Theodore [Coyote Creek Consulting]
Dave Theodore [Coyote Creek Consulting]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 18, 2019

I wouldn't recommend doing it this way. It's a management hassle (as you are learning) and in order to have Jira listen on port 443, you need to run the Java process as root. If a vulnerability allows an attacker to execute arbitrary code, it will run as root and make it easy for someone to compromise your server.

My recommendation would be  to set up a reverse proxy server, such as Apache, and point that at Jira running as an unprivileged user on the default 8080 port.  When your cert expires, you simply replace the cert and key, then bounce apache. Easy peasy.  I hope that helps.

View More Comments
Kabouter Technology
Kabouter Technology
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 18, 2019

Ok. 

I can see the problems w. using JKS files in Tomcat. But even with a self-signed cert (which I would need to do a reverse proxy) the problem is going to be the same. 

Like
Dave Theodore [Coyote Creek Consulting]
Dave Theodore [Coyote Creek Consulting]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 18, 2019

It's easy to convert from JKS to PEM format.  A variety of methods are discussed on this Stack Overflow post.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events