How to add the TLS certificate to the Java trust store when running Bitbucket Server and Data Center in a Docker container

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible


This article explains how to add the TLS certificate to the Java trust store when Bitbucket runs in a Docker container. When running a dockerized Bitbucket, the procedure to alter the Java trust store differs from the case where Bitbucket is started directly on the server.


Bitbucket 7.21.10, but also applicable to other versions.


Steps to add a TLS certificate to the Java trust store inside a Docker container include copying the trusted certs store out of the running Docker container, adding the required certs to it, and re-running the Bitbucket container with a modified trust store mounted into it. 

In the steps described below, paths are given as examples only, and you have to modify them for your setup!

  1. Get the original Java trust store from running Bitbucket container. That means copying the Java trust store out of the Docker container.
    An example of the command to use is

    docker cp <Bitbucket_Container>:/opt/java/openjdk/lib/security/cacerts /path/to/copy_of_cert_store
  2. Add all the certificates you need to the copy_of_cert_store trust store. You can do that manually using a keytool on your workstation or on the server itself.
    Use the document How to import a public SSL certificate into a JVM  as a guide on adding the certificate to a trust store.

    (warning) Be sure to use the keytool from the same JVM version as the one Bitbucket runs within the Docker container!

  3. Reconfigure your Docker container deployment or orchestration system to mount the external, modified trust store file to the Docker container and restart the Bitbucket container.
    An example command to start Bitbucket in a Docker container with a mounted modified trust store:

    docker run -d \
        --name <Bitbucket_Container> \
        -v /path/to/copy_of_cert_store:/opt/java/openjdk/lib/security/cacerts \

When using this approach, you would have to repeat steps 1 and 2 only when you upgrade the container to a newer Bitbucket version.

Last modified on Jan 3, 2024

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.