Currently we advise a user to go through some steps and is led to one that gets them to do something that isn't useful. In our JIRA044, JIRA050, JIRA051 or JIRA docs:

1. They follow the create a keystore file and generate a CSR.
2. We ask them to export the certificate from their keystore.
3. We then ask them to import the certificate into the cacerts trustStore. The truststore is designed for certificate authority (CA) certs (e.g.: godaddy/rapidssl/verisign certs) and should mostly have all of the default CA certs. The only time they would need to do this is if the CA is not already loaded or the CA cert is self-signed. Step 1 gets them to sign a standard certificate, not a CA.

We don't need to ask them to do steps 2 & 3 as when the CSR is generated in step 1, it gets automatically imported and by default when Tomcat starts up it will use the keystore generated in step 1 (provided they did it as the correct user). You could remove the section in the attached screenshot as steps 2 and 3 aren't necessary.

We also don't warn the user that when using the keytool, it will default to the user's home directory that is running that command - this could lead to problems if they run it as a user that doesn't execute Tomcat. For example:

1. The bundled Linux installer sets up JIRA as the jira user.
2. Tomcat defaults to the ~jira/.keystore file for the user that executes it.
3. If a customer generates the keytool as a user other than jira, it will not put it in ~jira/.keystore, so Tomcat will not have the correct keystore.

Could you please add something in like the below for step 1:

On Linux, please ensure this command is run as the user that Tomcat runs on. By default, this is jira when using the bundled installer.

And also change "2. Import certificate into the trust store" so that we're clear that the user only needs to do this step if they have a CA certificate that is not already in cacerts.

Please let me know if you need clarification or anything - thanks!