Using self-signed certificate for your OIDC identity provider
If you are running an internal identity provider that uses a self-signed certificate or a certificate from an internal CA, you will have to configure trust to this to allow OIDC. This trust must be set up by importing the certificate of the identity provider URL in your JAVA certificate trust store for your Atlassian installation. JAVA is a server platform that the Atlassian products run on top of.
Follow the guide below to set up the necessary trust to make OIDC work
Identifying the need to set up trust to self-signed certificate
During the OIDC setup wizard in Kantega SSO you may see this error on the Metadata step:
To solve this, you will have to follow the below steps to establish trust to your Identity Provider’s certificate.
Download the self-signed certificate from your identity provider URL
Navigate to an URL on your identity provider. This could be for example the well-known address for your IdP. In our example this is: https://keycloak.example.com/auth/realms/master/.well-known/openid-configuration
Click the lock symbol by the URL and then the right arrow on the right side. This example is for Firefox on OS X. It may look a little different in different browsers:
Click More information
Click View Certificate
Click the PEM (cert) download link
Save PEM file
Run command in terminal window on your Atlasssian server (*).
keytool -import -alias example_ca -cacerts -file example-com.pem
On Linux you may need to add sudo in front of command.
(*) If you need to find where Java runtime is located for your Atlassian product is running please open the path:https://<your-atlassian-server.example.com>/plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/debuginfo
and you find the Java home folder used under environment section:When the certificate is successfully installed in Java’s cacerts file then restart your Atlassian product to have the necessary trust estabilshed.
