Updating https cert on a JVM application running on top of tomcat

  • This just seems a pain.
    The install of jira i have here has an untrusted(Symantec) cert. It is only used by internal users, but id like the cert warnings to go away as these will soon be reported in all browsers.
    Not only does jira run as a JVM, it runs on tomcat as well. Ugh.
    It also seems whoever set this up initially didnt set this up the way Atlassian recommends.
    There is no .keystore file under the jira user /home. Or on the system anywhere.
    By looking through the JIRA server.xml file i see the cert it is using located:

    Now my question, if i have a newer valid mydomain.com.pfx cert file can i just replace it here, with no other configuration, restart jira and new cert will be served? Or must i use keytool provided in $jiraapp/jre/bin/ folder to do this?

    lets-encrypt may not work right here, this is still Centos 6.9 server i dont think le works with Centos 6. Migrating jira to something like centos7/fedora may be an option.

  • Ok a bit more research leads me to think i can do what i want and just replace this old pfx file with the new one, change the server.xml parameter for the cert, restart tomcat.

    Some tomcat servers require you to do pfx conversion to jks keystore type.
    The one for our version of tomcat/JIRA seems to support pfx file since it is using one already.
    I will be trying this in just about an hour when most people are gone.

  • Success
    Here are steps i followed.

    1. Exported valid cert to pfx format. Remember the export pw for later. I used a recently renewed 3 year wildcard cert for our domain. I used this one for Exchange CRM, now JIRA because reasons.
    2. Copy pfx file to a place on linux server, i made a folder called /certificates
    3. copy pfx over existing pfx file in /etc/pki/CA/certs/domain.com/domain.com.pfx
    4. Open server.xml file located in
      Find the blob of text that begins
    "To run JIRA via HTTPS:"
    blahblah, a bit farther down
    <Connector port="yourhttpsport" protocol="org.apa...

    Find the following parameters, change to correct values in server.xml.
    keystorePass="exported private key pw"
    Restart tomcat, or the whole server if you want.
    Your cert is now updated.

Log in to reply