jrwarwick · May 7, 2020 18:00
diff --git a/jira_ssl_certificate_update.ps1 b/jira_ssl_certificate_update.ps1
 #### https://confluence.atlassian.com/adminjiraserver085/running-jira-applications-over-ssl-or-https-981155619.html
 #### Doc was helpful, but didn't quite cover all situations. Adapted the following from some tomcat-on-Linux work from the past.
 ## Assumes you are only updating our issued cert, not the whole CA trust chain.
 ## keystore password is available to you in some secrets repository
 # From Admin Elevated PS session on JIRA server: #
 $YYYY = $((get-date).tostring('yyyy'))
 $YYYYMMDD = $((get-date).tostring('yyyyMMdd'))
 $ENV:PATH += ";C:\Program Files\Atlassian\JIRA\jre\bin\;"
 $jirakeystorefile = "C:\Program Files\Atlassian\Application Data\JIRA\jira.jks"
 $wildcardcertstorefile = "\\resourceserver\share\path\to\new\Certificates\${YYYY}\wildcard_CAsigned_cert_${YYYY}.pfx"

 ls $wildcardcertstorefile
 copy-item $jirakeystorefile "${jirakeystorefile }.${YYYYMMDD}_BACKUP"

 $srckeyalias=((keytool -list -v -keystore $wildcardkeyfile  | sls 'Alias name:') -replace "Alias name: ","").Trim()
 keytool -list  -keystore $jirakeystorefile
 keytool -delete  -alias jira -keystore $jirakeystorefile 
 keytool -importkeystore -destkeystore $jirakeystorefile -srckeystore $wildcardcertstorefile -srcstoretype PKCS12 -noprompt -srcalias $srckeyalias -destalias "jira"
 keytool -list -keystore $jirakeystorefile
 keytool -list -v -alias jira -keystore $jirakeystorefile | sls "Owner|Issuer|Valid"
 echo "Now just uniformify the key's internal password to the key*store* password (as *required* by tomcat)."
 echo "You will end up entering four passwords in a row. You've really got to pay attention on this one."
 keytool -keypasswd -alias "jira" -keystore $jirakeystorefile

 echo Now go watch catalina.out while restarting services (or tomcat directly if you know how)
 #gc -tail 10 -wait "C:\Program Files\Atlassian\JIRA\logs\catalina.$(get-date -Format 'yyyy-MM-dd').log"

 Get-Service  | where {$_.displayname -like "*jira*"} | ft -auto
 Restart-Service  ## name of service will be something like:   JIRAServiceDesk123456
 Get-Service  | where {$_.displayname -like "*jira*"} | ft -auto
	#### https://confluence.atlassian.com/adminjiraserver085/running-jira-applications-over-ssl-or-https-981155619.html
	#### Doc was helpful, but didn't quite cover all situations. Adapted the following from some tomcat-on-Linux work from the past.
	## Assumes you are only updating our issued cert, not the whole CA trust chain.
	## keystore password is available to you in some secrets repository
	# From Admin Elevated PS session on JIRA server: #
	$YYYY = $((get-date).tostring('yyyy'))
	$YYYYMMDD = $((get-date).tostring('yyyyMMdd'))
	$ENV:PATH += ";C:\Program Files\Atlassian\JIRA\jre\bin\;"
	$jirakeystorefile = "C:\Program Files\Atlassian\Application Data\JIRA\jira.jks"
	$wildcardcertstorefile = "\\resourceserver\share\path\to\new\Certificates\${YYYY}\wildcard_CAsigned_cert_${YYYY}.pfx"

	ls $wildcardcertstorefile
	copy-item $jirakeystorefile "${jirakeystorefile }.${YYYYMMDD}_BACKUP"

	$srckeyalias=((keytool -list -v -keystore $wildcardkeyfile \| sls 'Alias name:') -replace "Alias name: ","").Trim()
	keytool -list -keystore $jirakeystorefile
	keytool -delete -alias jira -keystore $jirakeystorefile
	keytool -importkeystore -destkeystore $jirakeystorefile -srckeystore $wildcardcertstorefile -srcstoretype PKCS12 -noprompt -srcalias $srckeyalias -destalias "jira"
	keytool -list -keystore $jirakeystorefile
	keytool -list -v -alias jira -keystore $jirakeystorefile \| sls "Owner\|Issuer\|Valid"
	echo "Now just uniformify the key's internal password to the keystore password (as required by tomcat)."
	echo "You will end up entering four passwords in a row. You've really got to pay attention on this one."
	keytool -keypasswd -alias "jira" -keystore $jirakeystorefile

	echo Now go watch catalina.out while restarting services (or tomcat directly if you know how)
	#gc -tail 10 -wait "C:\Program Files\Atlassian\JIRA\logs\catalina.$(get-date -Format 'yyyy-MM-dd').log"

	Get-Service \| where {$_.displayname -like "jira"} \| ft -auto
	Restart-Service ## name of service will be something like: JIRAServiceDesk123456
	Get-Service \| where {$_.displayname -like "jira"} \| ft -auto