How to import a public SSL certificate into a JVM | Atlassian Support (2024)

SSL/TLS Troubleshooting

  • Connecting to SSL services
  • How to import an existing SSL certificate for use in Tomcat
  • How to import a public SSL certificate into a JVM
  • Logjam (CVE-2015-4000) and Atlassian Products
  • Security tools report the default SSL Ciphers are too weak
  • Unable to Connect to SSL Services Due to 'PKIX Path Building Failed' Error in Jira Datacenter and Server
  • Unable to import CA reply

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended onFebruary 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

Problem

When connecting two servers via HTTPS, the public SSL certificate from each server must be added to the other server's JVM truststore.

  • Refer toConnecting to SSL services

Resolution

There are 2 ways to import a public SSL certificate into a JVM:

  • From thecommand line.
  • Using Portecle.

Command Line Installation

  1. Fetch the certificate, replacing google.com with the FQDN of the server your application is attempting to connect to:

    Method using openssl

    Unix:

    openssl s_client -connect google.com:443 -servername google.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

    Windows:

    openssl s_client -connect google.com:443 -servername google.com < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

    If you are under a redirection domain page, you must specify always -servername <your_domain_name> in order to ensure we are loading the correct domain, otherwise, openssl takes the first SSL cert it receives, when it should be the second cert that belongs to your domain.

    The command above will only be executed if you haveSed for Windowsas well asOpenSSLinstalled on your environment. If you don't have Sed or OpenSSL or you don't want to install it, use the instructions below as an alternative. Issue the following command:

    openssl s_client -connect google.com:443 -servername google.com

    Save the output to a file called public.crt. Edit the the public.crt file so it contains only what is between the BEGIN CERTIFCATE and END CERTIFICATE lines. This is how your file should look like after you edited it:

    -----BEGIN CERTIFICATE-----< Certificate content as fetched by the command line.Don't change this content, only remove what is beforeand after the BEGIN CERTIFICATE and END CERTIFICATE.That's what your Sed command is doing for you :-) >-----END CERTIFICATE-----
    Method using keytool

    keytool for fetching a certificate that does not support Server Name Indication (SNI). If you need to specify a server name to get the correct certificate, please use openssl instead.

    Unix:

    $JAVA_HOME/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt

    Windows:

    %JAVA_HOME%/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt
  2. Import the certificate:

    Java 8:

    <JAVA_HOME>/bin/keytool -importcert -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt


    Java 11:

    <JAVA_HOME>/bin/keytool -importcert -alias <server_name> -keystore <JAVA_HOME>/lib/security/cacerts -file public.crt

    Then enter the password if prompted (the default ischangeit).

    How to import a public SSL certificate into a JVM | Atlassian Support (1) Note: If the cacerts file already has a certificate for the same server name, the import may fail with the following error:

    keytool error: java.lang.Exception: Certificate not imported, alias already exist

    If this happens, you first need to remove the existing certificate from cacerts before re-trying to import the new certificate.
    To remove the existing certificate, you can use the command below:

    Java 8:

    <JAVA_HOME>/bin/keytool -delete -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts


    Java 11:

    <JAVA_HOME>/bin/keytool -delete -alias <server_name> -keystore <JAVA_HOME>/lib/security/cacerts
  3. Restart your application
  4. Test that you can connect to the host.

Alternative TrustStore Locations

Java will normally use a system-wide truststore:

  • Java 8: $JAVA_HOME/jre/lib/security/cacerts
  • Java 11: $JAVA_HOME/lib/security/cacerts

However it is possible to use a different truststore by specifying a parameter, -Djavax.net.ssl.trustStore=/path/to/truststore, where '/path/to/truststore' is the absolute file path of the alternative truststore. Information on how to configure JIRA startup variables can be foundhere.

However,setting this is not recommendedbecause if Java is told to use a custom truststore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts, and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide truststore (as above).

Debugging

Problems are typically one of two forms:

  • The certificate was installed into the incorrect truststore.
  • The truststore does not contain the certificate of the SSL service you're connecting to.

Using Portecle

  1. Download and install thePortecleapp onto the server that runs your application.

    This is a third-party application and not supported by Atlassian.

  2. Ensure the<JAVA_HOME> variable is pointing to the same version of Java that your application uses. See ourSetting JAVA_HOME docsfor further information on this.

    If running on a Linux/UNIX server, X11 will need to be forwarded when connecting to the server (so you can use the GUI), as below:

    ssh -X user@server
  3. Select theExamine menu and then click Examine SSL/TLS Connection:
    How to import a public SSL certificate into a JVM | Atlassian Support (2)
  4. Enter the SSL Host and Port of the target system:
    How to import a public SSL certificate into a JVM | Atlassian Support (3)
  5. Wait for it to load, then select the public certificate and click on PEM:
    How to import a public SSL certificate into a JVM | Atlassian Support (4)
  6. Export the certificate and save it.
  7. Go back to the main screen and select theOpen an existing keystore from disk option, select the truststore file(for example $JAVA_HOME/lib/security/cacerts)then enter the password (the default ischangeit).How to import a public SSL certificate into a JVM | Atlassian Support (5)
  8. Select theImport a trusted certificate into the loaded keystore button:
    How to import a public SSL certificate into a JVM | Atlassian Support (6)
  9. Select the certificate that was saved in step 6 and confirm that you trust it, giving it an appropriate alias (e.g.: confluence).
    1. You may hit this error:
      How to import a public SSL certificate into a JVM | Atlassian Support (7)
    2. If so, hit OK, and then accept the certificate as trusted.
  10. Save the keystore to disk:
    How to import a public SSL certificate into a JVM | Atlassian Support (8)
  11. Restart your application.
  12. Test that you can connect to the host.
DescriptionWhen connecting two servers via HTTPS, the public SSL certificate from each server must be loaded on to the other server.
ProductJira, Confluence, Bamboo, Bitbucket

Last modified on Nov 29, 2023

Related content

  • No related content found

Powered by Confluence and Scroll Viewport.

How to import a public SSL certificate into a JVM | Atlassian Support (2024)
Top Articles
Windy bee or petal belt? | Fandom
Moving Timeline: Week By Week Moving To-Do's and Tips
Summit County Juvenile Court
Amtrust Bank Cd Rates
Skip The Games Norfolk Virginia
Southland Goldendoodles
Nier Automata Chapter Select Unlock
Valentina Gonzalez Leak
Craftology East Peoria Il
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Craiglist Tulsa Ok
Find Such That The Following Matrix Is Singular.
2016 Hyundai Sonata Refrigerant Capacity
Craigslist Red Wing Mn
Equibase | International Results
Virginia New Year's Millionaire Raffle 2022
Nine Perfect Strangers (Miniserie, 2021)
Cta Bus Tracker 77
Winco Employee Handbook 2022
Conscious Cloud Dispensary Photos
Cain Toyota Vehicles
Toothio Login
Sherburne Refuge Bulldogs
Skycurve Replacement Mat
Weathervane Broken Monorail
11526 Lake Ave Cleveland Oh 44102
FAQ's - KidCheck
Lindy Kendra Scott Obituary
Ncal Kaiser Online Pay
Sinfuldeed Leaked
Ravens 24X7 Forum
Mkvcinemas Movies Free Download
Netherforged Lavaproof Boots
Tamilyogi Ponniyin Selvan
Arcane Odyssey Stat Reset Potion
World History Kazwire
Philadelphia Inquirer Obituaries This Week
Pay Entergy Bill
Htb Forums
Lovein Funeral Obits
Union Corners Obgyn
Questions answered? Ducks say so in rivalry rout
Electric Toothbrush Feature Crossword
Energy Management and Control System Expert (f/m/d) for Battery Storage Systems | StudySmarter - Talents
Sand Castle Parents Guide
Cocorahs South Dakota
Craigslist Central Il
Dicks Mear Me
Gelato 47 Allbud
Access One Ummc
Jesus Calling Oct 6
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5456

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.