This is a procedure we used a couple of times to get a letsencrypt certificate. There may be easier ways to do it and we work on an automation wrapper that should make this and any similar manuals obsolete.

I will also update this procedure after the next renewal if I can find any simplification.

High-level Description

The JIRA server is inside our internal network. It runs on a Windows machine and in order to use it remotely, there is port forwarding rule on the main router.

We use one of our Linux servers to generate a new key and request a certificate. As this process involves verification of the domain control, we termporarily re-direct the domain from JIRA server to this Linux machine. Once completed, the routing is returned to the original setup and the next step is to create a Java key store suitable for Tomcat server.The last step is to copy the new keystore to the correct location (and optionally update the JIRA server configuration to pickup the new certificate).


Note: if you do it the first time, you may need to install a Java crypto policy file on your JIRA server.

  • download from -
  • unzip the downloaded archive and you should see 2 files () and a README file
  • find location of java, e.g. DIR c:\programdata\oracle\java\javapath
  • cd \program files\java\jre1.8.0_25\lib\security
  • cp <unlimited policy files> .
  1. ROUTER: redirect port 443 to a Linux server (LINUX) with letsencrypt/certbot installed (note the previous configuration or back it up, so you can restore it)
  2. LINUX: login to the server as a with `sudo` privileges (or as root)
  3. LINUX: cd letsencrypt (Note: letsencrypt is installed from git, if you used package installation like apt, or yum, you don’t need to change the folder)
  4. LINUX: ./letsencrypt-auto certonly -d <your domain> (Note: similar to the previous step, the command may be different etsencrypt certonly -d <your domain>)
  5. ROUTER: redirect 443 back to the JIRA server
  6. LINUX: sudo su
  7. LINUX: cd /etc/letsencrypt/live/<your domain>/
  8. LINUX (create pkcs12/pfx file): openssl pkcs12 -export -out /tmp/certificate.pfx -inkey privkey.pem -in fullchain.pem -nodes
  9. LINUX: chown <user> /tmp/certificate.pfx
  10. JIRA: open WinSCP - login to @
  11. JIRA: cd /tmp
  12. JIRA: copy certificate.pfx to Documents
  13. JIRA: close WinSCP
  14. JIRA: Start portecle (you can download it from (Note: we need portecle to create JKS - download or find on Desktop (version 1.9))
  15. JIRA: -> File->Open Keystore -> documents\jira.jks
  16. JIRA: -> Tools -> Import key pair -> Certificate.pfx
  17. alias -> dev20161001 (year, month, day) (Note: if you chose to use a fixed alias, you don’t have to touch the JIRA server configuration file
  18. new password: changeme
  19. Save the new Java keystore file into Documents folder - password:”changeme”
  20. Open Local Services and stop “Atlasssian JIRA”
  21. Copy the jira.jks into \program files\atlassian\application data\
  22. Open \program files\atlassian\jira\conf\server.xml -> update the “alias” as set above (Note: only if you change the key alias)
  23. Start “Atlasssian JIRA” in Local services again