Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

First, create a certificate signing request. The command below will simultaneously generate a new RSA-encrypted private key, privkey.pem:

> openssl req -new -newkey rsa:2048 -out "confluence.csr" -nodes

Send the confluence.csr file to a certificate authority, and acquire an enterprise-signed certificate confluence-cert.crt. Once acquired, convert the .crt file to .pem:

> openssl x509 -in confluence-cert.crt -out confluence-cert.pem -outform PEM

Create a .p12 file using the existing confluence-cert.pem file:

> openssl pkcs12 -export -in confluence-cert.pem -inkey privkey.pem -out confluence-cert.p12

You will be asked to enter a password, which will be used in the next step.

Find the location of your Java keytool. In this guide, the path is <JAVA_HOME_DIR>/bin/keytool.

Create a Java keystore file using the previously generated .p12 certificate file. Here, the source- and destination-password is set to changeit. You must use the password you set on the .p12 certificate file in the previous step. The destkeystore value can be anything you like:

> <JAVA_HOME_DIR>/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my_confluence_domain.jks -srckeystore confluence-cert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1

Change the private key alias in the Java keystore.

> <JAVA_HOME_DIR>/bin/keytool -changealias -alias 1 -destalias mykey -keystore my_confluence_domain.jks

Import the root certificate of your CA into the Java keystore.

> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias root -file /apps/confluence/jre/lib/security/root.cer

Import the application certificate into the Java keystore.

> <JAVA_HOME_DIR>/bin/keytool -keystore my_confluence_domain.jks -import -alias mycert -file confluence-cert.crt

Move the keystore file into the signing keys directory of your Atlassian product. The signing keys directory can be found with kerberos in the saml directory, <ATLASSIAN_PRODUCT_HOME_DIR>/kerberos/saml/keys.

Last, you need to set this new key into use. Do that by finding the key listed in the SAML Key Management page in Kantega SSO and press the Promote button on it. If the new key is not loaded corretly the behaviour will instead create a new self-signed key. This indicates that the preparations of the above steps were not successful. Do verify all steps carefully and if you cannot figure out what is wrong contact us at support and we will help you out.

  • No labels