This article describes how to use an existing SSL for use with Stash. The process involves converting the certificate using OpenSSL, importing it into the Java keystore, and then updating the Stash configuration to utilize it.

1. First you will need to arrange your certificate in a .pem file. Open Notepad and copy/paste the certificate, key, intermediate certificate, and root certificate in the following format:
—–BEGIN RSA PRIVATE KEY—–
Private key for yourdomain.com
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
SSL for yourdomain.com
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate certificate from the issuing authority
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root certificate from the issuing authority
—–END CERTIFICATE—–

2. Save the file as “yourdomain.pem”.

3. Open a command prompt and navigate to where you saved the .pem file. Then run the following command:

openssl pkcs12 -export -in yourdomain.pem > yourdomain.p12

Note: This requires OpenSSL to be installed. If necessary this can be downloaded here.

4. Copy the new .p12 file to the server if it is not already there. Then open a command prompt and run the following to import the certificate into the keystore:

keytool -importkeystore -srckeystore yourdomain.p12 -destkeystore server.jks -srcstoretype pkcs12

You will be prompted for two passwords. Make sure to enter the same password for both and make note of this for later. If keytool is not recognized as a valid command you will have to change directories to the Java JRE bin directory.

5. Edit the Server.xml file located in the “conf” directory of your Stash installation directory. Anywhere before the ending tab enter the following:

<Connector port="8443"
maxHttpHeaderSize="8192"
SSLEnabled="true"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
useBodyEncodingForURI="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="C:\server.jks"
keystorePass="MyPassword"
sslProtocol="TLS" />

You may need to update the following values depending on your setup:
keystoreFile: This is the full path to the .jks keystore file.
keystorePass: This is the import password you used during step # 4.

I did not do any tweaking of the values listed above. They were simply taken from Atlassian’s guide Securing Stash with Tomcat using SSL.

6. Restart the Stash service and test by navigating to the following URL:
https://yourdomain.com:8443

Leave a Reply