This guide will take you through the steps of using your own CA signed certificates instead of the selv-signed certificates created by K-SSO when signing SAML Requests sent to your Identity Provider. The guide uses the tool openssl which is found on Linux and OsX. Also, it uses keytool found in Java runtime which is installed with the Atlassian products.
First, create a certificate signing request. The command below will simultaneously generate a new RSA-encrypted private key:
openssl req -new -nodes -out confluence-test.csr -newkey rsa:2048 -keyout confluence-test.key -subj '/CN=confluence-test.example.com/C=NO/ST=State/L=City/O=Company'
Send the
confluence-test.csrfile to a certificate authority (CA), and acquire a signed certificateconfluence-cert.crt.The CA will typically do something like this to sign the certificate:
openssl x509 -req -in confluence-test.csr -CA EXAMPLE-CA.crt -CAkey EXAMPLE-CA.key -CAcreateserial -out confluence-test.crt -days 730 -sha256
To view the crt file you get in return form your certificate authnority you may run this command
openssl x509 -noout -text -in confluence-test.crt
Find the location of your Java keytool command typically located in
<JAVA_HOME_DIR>/bin/keytool.Next, import the certificate into a Java Keystore with this command:
keytool -importcert -file confluence-test.crt -keystore confluence-test.jks -storepass changeit -alias mycert -trustcacerts
Next, convert the certificate and key files to
.pem:
openssl x509 -in confluence-test.crt -out confluence-test.pem -outform PEM
Now create a
p12file using the existingpemfile:
openssl pkcs12 -export -in confluence-test.pem -inkey confluence-test.key -out confluence-test.p12
You will be asked to enter a password, which will be used in the next step. Set password to changeit
Update the Java keystore file using the previously generated
.p12file. Here, the source- and destination-password is set tochangeit. You must use the password you set on the.p12certificate file in the previous step. The destkeystore value can be anything you like:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore confluence-test.jks -srckeystore confluence-test.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1
Change the private key alias in the Java keystore.
keytool -changealias -alias 1 -destalias mykey -storepass changeit -keystore confluence-test.jks
Then you can see inside the keystore file. Verify that both aliases mycert and mykey are present with command:
keytool -list -storepass changeit -keystore confluence-test.jks
Move the
jkskeystore file into the signing keys directory of your Atlassian product. The signing keys directory can be found with kerberos in the saml directory,<ATLASSIAN_PRODUCT_HOME_DIR>/kerberos/saml/keys.Last, you need to start using this new key. Do that by finding the key listed in the SAML Key Management page in Kantega SSO (see below) and press the Promote button on it. This should make the key the one that is used to sign outgoing SAML requests.
You will also have to update the trust to this new key in your identity provider(s). To do this either refresh the metadata inside your IdP’s SAML configuration or use the
Downloadbutton for theCurrent active keyand then install the certificate in your IdP’s SAML configuration.
If the new the jks keystore is not loaded corretly during Promote, the behavior of the SAML Key Management page is to create a new self-signed key. This indicates that the preparations of the above steps were not successful. Do verify all steps carefully and if you cannot figure out what is wrong contact us at support and we will help you out. Do also contact us if you have problems installing the newly created certificate into your IdP’s SAML configuration.