First, create a certificate signing request. The command below will simultaneously generate a new RSA-encrypted private key, privkey.pem:
...
> <JAVA_HOME_DIR>/bin/keytool -changealias -alias 1 -destalias mykey -keystore my_confluence_domain.jks
Import the root certificate of your CA into the Java keystore.
> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias root -file /apps/confluence/jre/lib/security/root.cer
...
Move the keystore file into the signing keys directory of your Atlassian product. The signing keys directory can be found with kerberos in the saml directory, <ATLASSIAN_PRODUCT_HOME_DIR>/kerberos/saml/keys.
Last, you need to set this new key into use. Do that by finding the key listed in the SAML Key Management page in Kantega SSO and press the Promote button on it. If the new key is not loaded corretly the behaviour will instead create a new self-signed key. This indicates that the preparations of the above steps were not successful. Do verify all steps carefully and if you cannot figure out what is wrong contact us at support and we will help you out.