...
...
...
...
First, create a certificate signing request. The command below will simultaneously generate a new RSA-encrypted private key
...
:
> openssl req -new -nodes -out confluence-test.csr -newkey rsa:2048 -out "keyout confluence.csr" -nodes-test.key -subj '/CN=confluence-test.example.com/C=NO/ST=State/L=City/O=Company'
Send the
confluence-test.csrfile to a certificate authority (CA), and acquire
...
a signed certificate
confluence-cert.crt.
...
The CA will typically do something like this to sign the certificate:
openssl x509 -req -in confluence-test.csr -CA EXAMPLE-CA.crt -CAkey EXAMPLE-CA.key -CAcreateserial -out confluence-test.crt -days 730 -sha256
To view the crt file you get in return form your certificate authnority you may run this command
openssl x509 -noout -text -in confluence-test.crt
Find the location of your Java keytool command typically located in
<JAVA_HOME_DIR>/bin/keytool.Next, import the certificate into a Java Keystore with this command:
keytool -importcert -file confluence-test.crt -keystore confluence-test.jks -storepass changeit -alias mycert -trustcacerts
Next, convert the certificate and key files to
.pem:
> openssl x509 -in confluence-certtest.crt -out confluence-certtest.pem -outform PEM
...
Now create a
...
p12file using the existing
...
pemfile:
> openssl pkcs12 -export -in confluence-certtest.pem -inkey privkeyconfluence-test.pem key -out confluence-certtest.p12
You will be asked to enter a password, which will be used in the next step. Set password to changeit
...
Update the
...
Java
...
keystore file using the previously generated
.p12
...
file. Here, the source- and destination-password is set to
changeit. You must use the password you set on the.p12certificate file in the previous step. The destkeystore value can be anything you like:
> <JAVA_HOME_DIR>/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my_ confluence_domain-test.jks -srckeystore confluence-certtest.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1
Change the private key alias in the Java keystore.
> <JAVA_HOME_DIR>/bin/keytool -changealias -alias 1 -destalias mykey -storepass changeit -keystore my_ confluence_domain-test.jks
Import the root certificate of your CA into the Java keystore.
> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias root -file /apps/confluence/jre/lib/security/root.cer
Import the application certificate into the Java keystore.
> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias mycert -file confluence-cert.crt
...
Then you can see inside the keystore file. Verify that both aliases mycert and mykey are present with command:
keytool -list -storepass changeit -keystore confluence-test.jks
Move the
jkskeystore file into the signing keys directory of your Atlassian product. The signing keys directory can be found with kerberos in the saml directory,<ATLASSIAN_PRODUCT_HOME_DIR>/kerberos/saml/keys.Last, you need to
...
start using this new key
...
. Do that by finding the key listed in the SAML Key Management page in Kantega SSO (see below) and press the Promote button on it. This should make the key the one that is used to sign outgoing SAML requests.
You will also have to update the trust to this new key in your identity provider(s). To do this either refresh the metadata inside your IdP’s SAML configuration or use the
Downloadbutton for theCurrent active keyand then install the certificate in your IdP’s SAML configuration.
If the new
...
the jks keystore is not loaded corretly
...
during Promote, the behavior of the SAML Key Management page is to create a new self-signed key. This indicates that the preparations of the above steps were not successful. Do verify all steps carefully and if you cannot figure out what is wrong contact us at support and we will help you out. Do also contact us if you have problems installing the newly created certificate into your IdP’s SAML configuration.