Jira is a suite of agile work management solutions. It is mandatory to run Jira over HTTPS. The SSL certificates of Jira have two major categories:
- Self-signed
- CA-signed
A Java Key Store (JKS) will hold SSL certificates which are Self-signed or CA-signed. Java KeyStore is a repository of security certificates — either authorization certificates or public key certificates — plus corresponding private keys, used for instance in TLS encryption.
Many applications officially support the integration with Jira, like GitLab.
The integration connects one or more GitLab projects to a Jira instance. GitLab will send Commit, Merge request… to Jira when configuring right authentication method (API token or password). If your Jira is running with self-signed certificates, it will have connection trouble. To fix it, GitLab needs to trust the self-signed certificates of Jira.
Convert Jira Certificate into PEM Format
Java Key Store (JKS) cannot be identified by GitLab. So we need to covert from a Java key store file into a PEM file. Here, we are using keytool and openssl applications.
keytoolis available as our Jira instance is self-managed. Default:/opt/atlassian/jira/jre/bin/keytoolopensslis available as our host is Ubuntu 22.04. You can install bysudo apt update && apt install openssl
Java Key Store is stored in the JKS file format. PKCS #12 is the default key store format.
Supposed your Java Key Store (JKS) file jira.jks
Step 1: Generate the Java Key Store
Run the following command:
/opt/atlassian/jira/jre/bin/keytool -genkey -keyalg RSA -v -keystore jira.jks -alias my_key
# /opt/atlassian/jira/jre/bin/keytool -genkey -keyalg RSA -v -keystore jira.jks -alias my_key
Enter keystore password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: mycn
What is the name of your City or Locality?
[Unknown]: beijing
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=Unknown, OU=Unknown, O=mycn, L=beijing, ST=Unknown, C=CN correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=Unknown, OU=Unknown, O=mycn, L=beijing, ST=Unknown, C=CN
Enter key password for <my_key>
(RETURN if same as keystore password):
Re-enter new password:
[Storing jira.jks]Note, default key store password is changeit
Step2: Convert JKS to PKCS#12
Run the following command:
/opt/atlassian/jira/jre/bin/keytool -importkeystore -srckeystore jira.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
# /opt/atlassian/jira/jre/bin/keytool -importkeystore -srckeystore jira.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
Importing keystore jira.jks to keystore.p12...
Enter destination keystore password:
Enter source keystore password:
Entry for alias jira successfully imported.
Entry for alias my_key successfully imported.
# ls -l
total 16
-rw-r--r-- 1 root root 4418 Apr 7 20:10 jira.jks
-rw-r--r-- 1 root root 5131 Apr 7 20:20 keystore.p12Note, default key store password is changeit
Step3: Convert PKCS#12 to PEM
Run the following command:
openssl pkcs12 -in keystore.p12 -out keystore.pem
# openssl pkcs12 -in keystore.p12 -out keystore.pem
Enter Import Password:
Enter PEM pass phrase:
# ls -l
total 24
-rw-r--r-- 1 root root 4418 Apr 7 20:10 jira.jks
-rw-r--r-- 1 root root 5131 Apr 7 20:20 keystore.p12
-rw------- 1 root root 7076 Apr 7 20:23 keystore.pemThe PEM file has been created.
GitLab Trust Jira Certificate
Our GitLab instance is also self-managed. We need to copy the created PEM file to /etc/gitlab/trusted-certs on GitLab host.
# ls -l /etc/gitlab/trusted-certs/
total 2
-rw-r--r-- 1 root root 3374 Apr 7 09:56 jira.pemNext, reconfigure GitLab by running the following command:
gitlab-ctl reconfigure
After that, we can see the new created soft-link:
# ls -l /etc/gitlab/trusted-certs/
total 4
lrwxrwxrwx 1 root root 8 Apr 7 09:57 22039c63.0 -> jira.pem
-rw-r--r-- 1 root root 3374 Apr 7 09:56 jira.pemNow, GitLab can communicate with Jira. Next, we can start to integrate them.
