Unable to connect to the JIRA application due to IOException Invalid keystore format

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

After JIRA has been upgraded, or configured for SSL, it is not able to be connected to, despite the process running.

The following appears in the Catalina log (for example catalina.2015-10-24.log):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 24-Oct-2015 15:54:34.822 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"] java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:424) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:323) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:581) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:521) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:466) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:205) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:360) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)

Diagnosis

Environment

  • JIRA is configured to use SSL, hosted by Tomcat.

Diagnostic Steps

  • If this exception is found in the logs it's highly likely this problem applies.

Cause

The Java Keystore (JKS) specified by Tomcat is in an invalid format. Tomcat by default expects it to be a JKS file, and this error can be thrown if it is a PKCS12 format (it's a bit like expecting a BMP and it's a JPG, in the image world).

Solution

Workaround

It may be possible to tell Java to use the appropriate format - this can be done with the following:

  1. Stop JIRA.

  2. Add the JVM argument Djavax.net.ssl.trustStoreType=pkcs12 as per Setting Properties and Options on Startup.

  3. Start JIRA and test.

If this does not work, proceed to the Resolution.

Resolution

Go back to the provider who supplied the key (either the CA vendor or appropriate department) and request for a Java Keystore (JKS) with the following in it:

  • A PrivateKeyEntry.

  • Any intermediate certificates, in the form of trustedCertEntry.

ℹ️ It's recommend to host JIRA behind a reverse-proxy as as Apache or Nginx as per the below:

Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community