Thursday, April 17, 2014

Renewing JIRA's the SSL Certificate on Windows

Basically this is JAVA specific stuff.

Environment:


  • Windows Server 2008 R2
  • JIRA Standalone (6.2) (Installed in C:\JIRA)
  • JDK 1.7 (Installed to C:\JDK)
AFAIK this method applies to all JIRA and JAVA/JDK editions.


Step 1: Identifying the JKS (Java KeyStore) file location


This is the file where the certificates used by Tomcat are stored. The JKS file is linked with JIRA in the server.xml file that is located under the JIRA INSTALL DIRECTORY\conf\server.xml (In this example C:\JIRA\conf\server.xml). Open in notepad and search for JKS to find the section we're insterested in. 

SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="C:\JIRA\cert\jira.jks" keystorePass="somepass" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true" />


Step 2: Creating a CSR


For this you use keytool.exe that is located in your JDK instance's bin directory. You will be asked for the keystore password that can also be found on the xml mentioned earlier. Make sure to mention the -alias parameter with the keyAlias attribute from the settings.xml file.

C:\JDK\bin> keytool -certreq -keystore "C:\JIRA\cert\jira.jks" -alias tomcat

No questions asked, the request will use the same properties as your current certificate. Now copy-paste the CSR from the console and send it to your CA that will issue the certificate for you.


Step 3: Installing the new certificate


Once you got the new certificate save it as a .cer file (I'll save it as C:\JIRA\cert\jira.cer in this example) and open its properties to export *all* the CA certificates from the certification path:




Click on View Certificate -> Details -> Copy to File and export it in the DER encoded binary X.509 format.



After the exports, in this example I'll have 3 certificates to import into the KeyStore file:
jira.cer (the certificate I got from the CA)
ca-root.cer (the first certificate exported in the Certification Path)
ca-intermediary.cer (the second certificate exported in the Certification Path)

So go back to the Command Prompt, you JAVA instance's bin directory and use keytool.exe to import all these certificates. When you're asked if you want to import the certificate, type yes at the console.


C:\JDK\bin>keytool.exe -importcert -keystore "C:\JIRA\cert\jira.jks" -storepass somepass -trustcacerts -alias ca-root -file "C:\JIRA\cert\ca-root.cer" C:\JDK\bin>keytool.exe -importcert -keystore "C:\JIRA\cert\jira.jks" -storepass somepass -trustcacerts -alias ca-intermediate -file "C:\JIRA\cert\ca-intermediate.cer" C:\JDK\bin>keytool.exe -importcert -keystore "C:\JIRA\cert\jira.jks" -storepass somepass -trustcacerts -alias tomcat -file "C:\JIRA\cert\jira.cer"


Restart Tomcat (JIRA) and you're done.

No comments:

Post a Comment