Before you enable HTTPS, you need a valid certificate, and if you already have a valid certificate, you can skip this step directly and go to step 2.
You can create a self-signed certificate, or get a certificate from a trusted Certificate authority.
If your project team plans to use the Confluence Server Mobile app. You need your certificate issued from a trusted certificate authority. You cannot use a self-signed certificate or a certificate obtained from an untrusted institution, or a free CA.
Option 1: Create a self-signed certificate
Self-signed certificates can help you do this when you need to encrypt, but you don't need to verify the request for the site. Under normal circumstances, you can issue your self-signed certificate in your test environment, or you can issue a self-signed certificate on your company's internal network.
Because the certificate is not a trusted organization-issued (CA), the user may receive a site that is not trusted and provides a step for the user to determine before accessing the site's information. This is usually the first time you visit the site when the hint appears. If you use the Confluence mobile app, users cannot access your confluence site through your self-signed certificate.
In this case, we need to use Java's keytool
toolkit. This toolkit is included in the JDK. If you are not familiar with command-line tools, you might consider using the KeyStore Explorer tool.
Use Keytool to create a self-signed certificate:
From the command line, run the correct command for your operating system:
Windows
"%JAVA_HOME%\bin\keytool" -genkeypair -keysize 2048 -alias tomcat -keyalg RSA -sigalg SHA256withRSA |
Linux (and MacOS)
$JAVA_HOME/bin/keytool -genkeypair -keysize 2048 -alias tomcat -keyalg RSA -sigalg SHA256withRSA |
When prompted, create a password (password)for your certificate, private key.
Use only numbers and English characters. If you use special characters, Tomcat may get an error.
Please record the password you created, and in the next step you will need to use the password you created.
The default password is ' changeit
.
Follow the prompts to determine the details of the certificate. This information is used to construct the distinguished Name (DN) in the X.500 entity.
First and last name: This is not your name, this is Common name (CN), for example ' confluence.example.com '. The CN must correspond exactly to the domain name used by confluence, otherwise Tomcat will not be able to use the certificate you signed.
organizational Unit: This is the department or group of certificates used, such as ' marketing '.
Organization: It's your company's name, such as ' Seespaceez '.
City , state/province, Country code: This is your company's geographical location, such as Sydney, NSW, AU.
The output will be as follows. Enter ' y
to determine what you have entered.
CN=confluence.example.com, OU=Marketing, O=SeeSpaceEZ, L=Sydney, ST=NSW, C=AU |
When asked for the password (password ) to be used for ' tomcat ', enter the password you entered in the second step (click Enter after entering the password).
' Tomcat ' is the alias you entered in the Keytool command line, which is used here to prompt you.
Your KeyStore instance must have the same password as your private key. This is required by the TOMCAT server.
Your certificate is now ready for use, go to the second step below.
Option 2: Use Certificate Authority issued certificates (recommended)
In a production environment, you need to use a certificate issued from Certificate Authority (CA). The following content is copied from the Tomcat documentation.
First you need to create a local certificate and then create a ' certificate signing request ' (CSR) based on the local certificate you created. You need to submit a CSR to your chosen CA provider for collection. The CA will send you the authorized certificate through the CSR.
Use Java keytool
tools to create a local certificate (as described in the first step above).
From the command, the following command tool will be returned to create the certificate required earlier.
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <MY_KEYSTORE_FILENAME> |
Replace <MY_KEYSTORE_FILENAME>
with the path and .keystore
the file name created by your local certificate.
Submit the created file to the certreq.csr
CA that you want to authorize.
Please refer to the documentation for the CA to find out how to do this.
The CA will send a certificate that you have signed.
To import a new certificate to your local KeyStore:
keytool -importcert -alias tomcat -keystore <MY_KEYSTORE_FILENAME> -file <MY_CERTIFICATE_FILENAME> |
Some CAs may require you to install a man-in-the-middle certificate before installing your certificate. You should follow the documentation provided by the CA to complete the successful installation of your local certificate.
If you are using Verisign or GoDaddy, and then you receive the wrong information, you may need to export the PKCS12 and your private key at the same time.
First, delete all the keys added to the KeyStore:
keytool -delete -alias tomcat -keystore <MY_KEYSTORE_FILENAME> |
Then export to PKCS12 format:
openssl pkcs12 -export -in <MY_CERTIFICATE_NAME> -inkey <MY_PRIVATEKEY_NAME> -out <MY_PKC12_KEYSTORE_NAME> -name tomcat -CAfile <MY_ROOTCERTIFICATE_NAME-alsoCalledBundleCertificateInGoDaddy> -caname root |
Then import PKCS12 into JKs:
keytool -importkeystore -deststorepass <MY_DESTINATIONSTORE_PASSWORD> -destkeypass <MY_DESTINATIONKEY_PASSWORD> -destkeystore <MY_KEYSTORE_FILENAME> -srckeystore <MY_PKC |
Https://www.cwiki.us/display/CONF6ZH/Running+Confluence+Over+SSL+or+HTTPS
Confluence 6 run over SSL or HTTPS-Create or request an SSL certificate