Renewing SSL Certificate for Apache Reverse Proxy in Jira Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

As explained in the documentation here, Jira can be integrated with Apache using SSL. In this use case, the SSL certificate will be managed within Apache rather than Tomcat. This article aims to guide you through the process of renewing expired or expiring certificates configured in Apache, ensuring that you can maintain uninterrupted access to Jira. 

Environment

Jira Software/ Jira Service Management Data Center on any version

Solution

Follow the steps below to renew the certificates configured in Apache.

  • Use the command provided to create a new private key and generate a new CSR.

1 openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

The above command will generate a new RSA private key (2048 bits) and save it in server.key. It will also create a CSR (Certificate Signing Request) based on the new private key and save it in server.csr. 

  • Submit the CSR to the CA following their enrollment process. The selection of the CA is at the discretion of the users.

  • After the CSR submission, the CA conducts a series of checks and issues the Server certificate, along with the Root and intermediate certificates.

  • Create a directory and move all the issued certificates, including the server.key file, into it.

  • Edit the Apache configuration file (httpd.conf). Apache's main configuration file is typically named httpd.conforapache2.conf. Possible locations for this file include /etc/httpd/ or /etc/apache2/.

  • Update the <VirtualHost> block with the newly created certificates 

1 2 3 4 5 6 7 8 9 10 11 12 13 <VirtualHost *:443> ServerName jira.com ProxyTimeout 1800 SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt SSLProxyEngine          On ProxyRequests           Off ProxyPreserveHost       On ProxyPass               /       http://jiraserver/jira ProxyPassReverse        /       http://jiraserver/jira </VirtualHost> 

In the above example, please take a moment to replace the SSLCertificateFile with the server's SSL certificate that you received from the Certificate Authority (CA). Additionally, replace SSLCertificateChainFile with the Root/Intermediate certificate chain that you were provided. It's important to ensure that SSLCertificateKeyFile points to the key file location that you created in the first step.

  • After making these changes, restart Apache and access Jira using the base URL.

Updated on March 11, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community