Atlassian IDE Connectors : Using HTTPS to access JIRA server (Client Certificate)

Created by Piotr Maruszak, last modified on Jun 24, 2010

This document describes how to configure Atlassian IntelliJ plugin for IDEA to use HTTPS for communicating with the server using client side certificates. We assume that you have already configured HTTPS in your web server. See how to do this for Tomcat tomcat configuration .

In order to successfully connect to server using client side there are 3 musts:

  • client certificate in jks format (jks keystore) generated with clientAuth flag
  • root, trusted certification authority certificate in jks format (trusted authorities jks keystore)
  • proper plugin configuration (java options)
  1. Export client certificate to JKS format. For example: 
    java PKCS12Import cert.p12 client.jks.keystore
  2. Extract CA root certificate (certificate having the same issuer and subject fields) from pem file to separate file. The file should be looking like: 
    -----BEGIN CERTIFICATE-----
AKmKxzANBgMIIGUjCCBDqgAwIBAgIG9w0BAQEkqhki
.......
.......
-----END CERTIFICATE-----
  3. Import CA root certificate with following command: 
    keytool -import -trustcacerts -file root.pem -alias <root key alias, optional> -keystore <path to trust keystore file>

    Instead of creating separate trust store we can import our CA root certificate directly to java keystore
    /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts but only sudo user can do that

  4. Add the following to the idea.vmoptions file:
    -Djavax.net.ssl.keyStore=<path to your keystore>
    -Djavax.net.ssl.keyStoreType=jks
    -Djavax.net.ssl.keyStorePassword=<password>
    -Djavax.net.ssl.trustStore=<path to trust keystore>
    -Djavax.net.ssl.trustStorePassword=<password>
    -Djavax.net.ssl.trustStoreType=jks

Generating certificates from ground up

Use CA.pl script which is located in /usr/lib/ssl/misc/CA.pl (for Ubuntu)
and Java class PKCS12Import

Generate CA certificate

CA.pl -newca

Certificate is located in file ./demoCA/cacert.pem

Generate server certificate

CA.pl -newreq
CA.pl -signreq
CA.pl -pkcs12

Create JKS keystore

java PKCS12Import newcert.p12 server.store.jks

Use server.store.jks to configure Tomcat https

Generate client certificate

Make sure that you /etc/ssl/openssl.cnf config file contains clientAuth flag

[ v3_req ]
extendedKeyUsage=serverAuth, clientAuth

If this flag is not present then certificate cannot be used as client certificate

CA.pl -newreq
CA.pl -signreq
CA.pl -pkcs12

Create JKS keystore

java PKCS12Import newcert.p12 client.store.jks