Import Let’s Encrypt to JKS

You can perform a manual verification – with the manual plugin.

certbot -d --manual --preferred-challenges dns certonly

Certbot will then provide you an instructions to manually update a TXT record for the domain in order to proceed with the validation.

Please deploy a DNS TXT record under the name with the following value:


Once this is deployed,
Press ENTER to continue

Once you have updated DNS record, press Enter, certbot will continue and if LetsEncrypt CA verifies the challenge, certificate is issued as normally.

In Linux the certs will be in


cd into that directory and execute (the name will at import set the keyalias):

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name jira-domain-com -out jira.p12

Set the password to the same as the JKS file. Default password is:


Copy jira.p12 to the folder where the default keystore cacerts is. In Windows the cacerts is usually in:

C:\Program Files\Atlassian\JIRA\jre\lib\security

Since keytool command is in relationship to cacerts normally:


The import command would be (in the cacerts directory):

..\..\bin\keytool -importkeystore -deststorepass [password] -destkeystore cacerts -srckeystore jira.p12 -srcstoretype PKCS12

If there is a need to import the chain.pem the command would be:

..\..\bin\keytool -import -alias letsencrypt -trustcacerts -file chain.pem -keystore cacerts

The added line in server.xml:

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="jira-domain-com" keystoreFile="C:\Program Files\Atlassian\JIRA\jre\lib\security\cacerts" keystorePass="<jks password>" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>" useBodyEncodingForURI="true"/>