How to run Bitbucket Server over HTTPS with a Personal Information Exchange (PFX) keystore

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Atlassian applications allow the use of SSL within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it.

  • If assistance with conversions of certificates is required, please consult with the vendor who provided the certificate.

  • If assistance with configuration is required, please raise a question on the Atlassian Community.

Description

Certificates with the extension .pfx or .p12 usually use PKCS12 as encryption mechanism and this type of certificate is possible to be used in Tomcat without any conversion.

ℹ️ Usually certificates generated by Microsoft's Certification Authority console use PKCS12.

Diagnosis

You can check the Keystore type of your certificate using the following keytool command "keytool -list -keystore path_to_certificate.pfx -storetype PKCS12" and in case it's indeed PKCS12 you'll see the following output:

1 2 3 4 5 6 7 $ keytool -list -keystore cert.pfx -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry

Resolution

  1. Shutdown Bitbucket Server

  2. Bitbucket Server 5.0+

    1. Adjust the connector properties in bitbucket.properties as described in Secure Bitbucket with Tomcat using SSL. To set the keystore type, set the following:

      1 server.ssl.key-store-type=PKCS12

  3. Bitbucket Server 4.14 and below

    1. Adjust your SSL connector into the server.xml file. This is an example of SSL connector using keystoreType="PKCS12":

      1 2 3 4 5 6 7 <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="C:\path_to_cert\certificate.pfx" keystorePass="certificate_password" keyAlias="1" keystoreType="PKCS12" clientAuth="false" connectionTimeout="20000" sslProtocol="TLS" useBodyEncodingForURI="true"/>

  4. Restart Bitbucket Server.

Updated on April 15, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageDescriptionDiagnosisResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community