ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Updating https cert on a JVM application running on top of tomcat

    IT Discussion
    1
    3
    307
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • momurdaM
      momurda
      last edited by

      This just seems a pain.
      The install of jira i have here has an untrusted(Symantec) cert. It is only used by internal users, but id like the cert warnings to go away as these will soon be reported in all browsers.
      Not only does jira run as a JVM, it runs on tomcat as well. Ugh.
      It also seems whoever set this up initially didnt set this up the way Atlassian recommends.
      There is no .keystore file under the jira user /home. Or on the system anywhere.
      By looking through the JIRA server.xml file i see the cert it is using located:
      /etc/pki/CA/certs/mydomain.com/mydomain.com.pfx

      Now my question, if i have a newer valid mydomain.com.pfx cert file can i just replace it here, with no other configuration, restart jira and new cert will be served? Or must i use keytool provided in $jiraapp/jre/bin/ folder to do this?

      lets-encrypt may not work right here, this is still Centos 6.9 server i dont think le works with Centos 6. Migrating jira to something like centos7/fedora may be an option.

      1 Reply Last reply Reply Quote 2
      • momurdaM
        momurda
        last edited by

        Ok a bit more research leads me to think i can do what i want and just replace this old pfx file with the new one, change the server.xml parameter for the cert, restart tomcat.

        Some tomcat servers require you to do pfx conversion to jks keystore type.
        The one for our version of tomcat/JIRA seems to support pfx file since it is using one already.
        I will be trying this in just about an hour when most people are gone.

        1 Reply Last reply Reply Quote 1
        • momurdaM
          momurda
          last edited by

          Success
          Here are steps i followed.

          1. Exported valid cert to pfx format. Remember the export pw for later. I used a recently renewed 3 year wildcard cert for our domain. I used this one for Exchange CRM, now JIRA because reasons.
          2. Copy pfx file to a place on linux server, i made a folder called /certificates
          3. copy pfx over existing pfx file in /etc/pki/CA/certs/domain.com/domain.com.pfx
          4. Open server.xml file located in
            /jiraapplicationfolder/jira/conf/server.xml
            Find the blob of text that begins
          "To run JIRA via HTTPS:"
blahblah, a bit farther down
<Connector port="yourhttpsport" protocol="org.apa...

          Find the following parameters, change to correct values in server.xml.
          keystoreFile="path/to/pfx"
          keystorePass="exported private key pw"
          Restart tomcat, or the whole server if you want.
          Your cert is now updated.

          1 Reply Last reply Reply Quote 1
          • 1 / 1
          • First post
            Last post