Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Expand
titleShow Page Tree structure

Page Tree
root@parent
startDepth1

Info

This guide will take you through the steps of using your own CA signed certificates instead of the selv-signed certificates created by K-SSO when signing SAML Requests sent to your Identity Provider. The guide uses the tool openssl which is found on Linux and OsX. Also, it uses keytool found in Java runtime which is installed with the Atlassian products.

We use in the example confluence-test as the certificate, key and file name. This name you can alter to what you want.

  1. First, create a certificate signing request. The command below will simultaneously generate a new RSA-encrypted private key

...

  1. :

...

  1. openssl req -new -nodes -out confluence-test.csr -newkey rsa:2048 -

...

  1. keyout confluence

...

  1. -test.key -subj '/CN=confluence-test.example.com/C=NO/ST=State/L=City/O=Company'

  2. Send the confluence-test.csr file to a certificate authority (CA), and acquire

...

  1. a signed certificate confluence-cert.crt.

  2. The CA will typically do something like this to sign the certificate:
    openssl x509 -req -in confluence-test.csr -CA EXAMPLE-CA.crt -CAkey EXAMPLE-CA.key -CAcreateserial -out confluence-test.crt -days 730 -sha256

  3. To view the crt file you get in return form your certificate authnority you may run this command
    openssl x509 -noout -text -in confluence-test.crt

...


  1. At this time you have three files with extensions .csr, .key and .crt. The .key and .crt files will be used in the next steps.

  2. Find the location of your Java keytool command typically located in <JAVA_HOME_DIR>/bin/keytool.

  3. Import the certificate into a Java Keystore (.jks) with this command:
    keytool -importcert -file confluence-test.crt -keystore confluence-test.jks -storepass changeit -alias mycert -trustcacerts

  4. Convert the certificate file to a .pem file to use in next step:
    openssl x509 -in confluence-

...

  1. test.crt -out confluence-

...

  1. test.pem -outform PEM

...

  1. Now create a .p12 file using the existing

...

  1. .pem file and the key:

...

  1. openssl pkcs12 -export -in confluence-

...

  1. test.pem -inkey

...

  1. confluence-test.

...

  1. key -out confluence-

...

  1. test.p12
    You will be asked to enter a password, which will be used in the next step.

...

Find the location of your Java keytool. In this guide, the path is <JAVA_HOME_DIR>/bin/keytool.

...

  1. Set password to changeit
    The .p12 after this step contains both the certificate and key.

  2. Update the Java keystore file from step 6. by adding the previously generated .p12

...

  1. file. Here, the source- and destination-password is set to changeit. You must use the password you set on the .p12 certificate file in the previous step. The destkeystore value can be anything you like:

...

  1. keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore

...

  1. confluence

...

  1. -test.jks -srckeystore confluence-

...

  1. test.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1

  2. Change the private key alias in the Java keystore.

...

  1. keytool -changealias -alias 1 -destalias mykey -

...

Import the root certificate of your CA into the Java keystore.

> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias root -file /apps/confluence/jre/lib/security/root.cer

Import the application certificate into the Java keystore.

> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias mycert -file confluence-cert.crt

...

  1. storepass changeit -keystore confluence-test.jk

  2. Then you can see inside the keystore file. Verify that both aliases mycert and mykey are present with command:
    keytool -list -storepass changeit -keystore confluence-test.jks

  3. Move the jks keystore file into the signing keys directory of your Atlassian product. The signing keys directory can be found with kerberos in the saml directory, <ATLASSIAN_PRODUCT_HOME_DIR>/kerberos/saml/keys.

  4. Last, you need to

...

  1. start using this new key

...

  1. . Do that by finding the key listed in the SAML Key Management page in Kantega SSO (see below) and press the Promote button on it. This should make the key the one that is used to sign outgoing SAML requests.

  2. You will also have to update the trust to this new key in your identity provider(s). To do this either refresh the metadata inside your IdP’s SAML configuration or use the Download button for the Current active keyand then install the certificate in your IdP’s SAML configuration.

...

  • If the new

...

  • the jks keystore is not loaded

...

  • correctly during Promote, the behavior of the SAML Key Management page is to create a new self-signed key. This indicates that the preparations of the above steps were not successful. Do verify all steps carefully and if you cannot figure out what is wrong contact us at support and we will help you out. Do also contact us if you have problems installing the newly created certificate into your IdP’s SAML configuration.