How to import an existing SSL certificate for use in Tomcat

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

If you have an existing SSL certificate and you want to use this certificate in Tomcat you need to follow specific steps to import the certificate. This article describes these steps.

Solution

Assumptions

This article assumes that you have the following available in separate files:

  1. A private key
  2. A certificate belonging to the private key
  3. The certificate of the authority that issued the certificate

It also requires that you have OpenSSL installed on the machine where you are running the commands described.

Finally, it also assumes that you have an existing Tomcat keystore to import the certificate into.



1. Combine the private key and the certificate into a PKCS12 keystore

If you already have a PKCS12 file that contains the certificate which you want to import and the private key belonging to it, then you can skip to step 2.



The first step is to combine the private key and the certificate into a PKCS12 keystore which will be used in the second step. This is required because Java's keytool utility does not allow you to import a private key and certificate from individual files. To do this, run the command below:

openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out <keystorefile> -name tomcat -CAfile <cacertfile> -caname root

where <certfile> is the path to the file that contains the certificate you wish to import, <keyfile> is the path to the file that contains the private key that belongs to the certificate, <keystorefile> is the path to the PKCS12 keystore you want to create (you can choose a location yourself, but the file must not exist yet), and <cacertfile> is the path to the file that contains the certificate (chain) of the certificate authority that issued the certificate which you're trying to import. 


When you execute the command you'll be asked for a password for the PKCS12 keystore. You can choose one, but for the sake of simplicity changeit is a good option, since it is the default password that Tomcat expects. Once the command has completed executing, verify that <keystorefile> now exists.

2. Merge the Tomcat keystore and the PKCS12 keystore to import the certificate and private key

You will now need to merge the Tomcat keystore and PCS12 keystore, which imports the certificate and private key into Tomcat's keystore. To do that, run the following command:

keytool -importkeystore -deststorepass <keystorepass> -destkeypass <keystorepass> -destkeystore <tomcatkeystorefile> -srckeystore <keystorefile> -srcstoretype PKCS12 -srcstorepass <keystorepass> -alias tomcat

where <keystorepass> is the password you chose when you were prompted in step 1, <tomcatkeystorefile> is the path to the keystore of Tomcat, and <keystorefile> is the path to the PKCS12 keystore file created in step 1.

Once the command has completed the Tomcat keystore at <tomcatkeystorefile> contains the certificate and private key you wanted to import. Restart your Atlassian application to make the changes effective.


DescriptionIf you have an existing SSL certificate and you want to use this certificate in Tomcat you need to follow specific steps to import the certificate. This article describes these steps.
ProductJira, Confluence, Bamboo, Bitbucket, Fisheye
PlatformServer, Cloud, Data Center
Last modified on Oct 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.