Available on: Enterprise Plan
Available for: Jira on-premise (Server / Data Center)
Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise plans and does not require any configuration on the Miro end.
⚠️ Note that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ.
Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter our certificate values instead of ENTER_MIRO_CERTIFICATE_HERE.
Validating via the certificate
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $cert_old "ENTER_OLD_MIRO_CERTIFICATE_HERE";
set $cert_new "ENTER_NEW_MIRO_CERTIFICATE_HERE";
set $valid_cert_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_raw_cert ~ $cert_old) { set $valid_cert_flag 1; }
if ($ssl_client_raw_cert ~ $cert_new) { set $valid_cert_flag 1; }
if ($valid_cert_flag != 1) { return 403 "Invalid certificate\n"; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}Validating via the certificate's fingerprint
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $fingerprint_old "ENTER_OLD_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $fingerprint_new "ENTER_NEW_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $valid_fingerprint_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_fingerprint = $fingerprint_old) { set $valid_fingerprint_flag 1; }
if ($ssl_client_fingerprint = $fingerprint_new) { set $valid_fingerprint_flag 1; }
if ($valid_fingerprint_flag != 1) { return 403; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}Miro certificates
The new certificate is valid from May 28, 2026, until Feb 6, 2027.
-----BEGIN CERTIFICATE-----
MIIGpTCCBY2gAwIBAgIIP4hwBnp4HQMwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjYwMTA1MDczNjAzWhcN
MjcwMjA2MDczNjAzWjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1pcm8uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesjXzQW6R7r8jss
NNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6MJQTRXn6dBRMr
2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgULZx0LI/KPdPxC
umZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJqB1CSzslQXBV
IB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt4kEkeSX7UgXF
6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhkscR5juzGHQID
AQABo4IDTjCCA0owDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6
Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS03MjA3Ny5jcmwwXQYDVR0gBFYwVDAI
BgZngQwBAgEwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2Nl
cnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzB2BggrBgEFBQcBAQRq
MGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEF
BQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjA3BgNV
HREEMDAughNqaXJhLWNhcmRzLm1pcm8uY29tghd3d3cuamlyYS1jYXJkcy5taXJv
LmNvbTAdBgNVHQ4EFgQU2wiZ/76DT0QSteUPWyBAumMf5WcwggF+BgorBgEEAdZ5
AgQCBIIBbgSCAWoBaAB3AExj3JjlnB2riPYeij3ero+rRKM3e1+blMP7oZz8wb4m
AAABm40VpaIAAAQDAEgwRgIhAJMcqQFB4mxKEX31NbDT+LJlhkyMHIkbNartMOlE
JwrLAiEAjHVBL1NOYjQ3ULhUm0OR17VKVJBu/JI2WkHccwZ5kkgAdQBgTJqven93
XwHUBvySDciZ6wscffjJUhv6+hd3O5eLyQAAAZuNFacoAAAEAwBGMEQCIDhCgPVO
8OlXE7PzvzUD51nh5kEB8GkUwcV169ugpkXYAiAM65xq94Z4i6SK2AkpPFB2wuSc
8y89bs8kDN02flndKQB2AByfaCzp+vBFaVD4G5aKh93bMhDYTObIsuOCUkrEz1mf
AAABm40Vp/0AAAQDAEcwRQIge3V9PsGclvxqmfKYvcdbamDhhyl6LyYrGYqxJcHI
0PECIQD5GBWvGbbf36B1x9FgvLRoI90ROtReveWsP+w97NRkKDANBgkqhkiG9w0B
AQsFAAOCAQEALCw20EeHwM6XwCOYg89oqGxaBj/p1YmuokPe+xIQbQIRX/hVbmGX
N/pMbssc6Q39r9Tn8qFzorJITqc2ZW0MWnpNSikj56Ib5bLqbkA3ImeDg5Q+R+yW
QYZk3gcCZvvSE6Ivqh6Mq64Jy1ph68a1lK6Sbyrot5EfTZG6ABpEzCAHLUY47xy9
0ePADUnXKCVJMQ1zbXmXUSMtBBEJdKVK68sBz/pr+u+GnTmnCRKgsSvVt0SyG+h8
lN9WzftNkp+1sH8OAh2hctc5ITFUUFLUkxDBPTFrGzy0jcAditDsgjfrS2y2xl51
2LDNJ6xrz/uG7FOkz6Gr4pf7a1e+g4S/xA==
-----END CERTIFICATE-----
The old certificate is valid until Oct 9, 2026(deprecated).
-----BEGIN CERTIFICATE-----
MIIFyDCCBLCgAwIBAgIQAVWS1YUeVBEU1ZV4SCfiajANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTI2MDMyNjAwMDAwMFoXDTI2MTAwOTIzNTk1OVowHjEc
MBoGA1UEAxMTamlyYS1jYXJkcy5taXJvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANI4Mg+7ub8Zr+M0pQSCKPuWemQuFpQWsstj9GIHxliMWqVH
NISKliSGbFnIXhGJaJBE/EZSPh2x2jRpbYLnr6eT1zam4Na1G+wNeg++LneZ3KVQ
95BLI6FX/xvduiMCB+3JgtHTk1LujHBggmgoMrrWpcHRv8wZ2m9kk0a5y2HTJU0z
MsQTTY7TgH95SM/cMlFtBA3mxWI1DTVETWarHqBnVgxniDwjLqQRVxwTDp8jDuKn
M9hdagKlibZFQNN69JUeS7gNs8KW6SfhJiZDJ98lcA/XWLxeouOxcp2n+D2rWPvb
o6cB9AtQ25yNsI3dREQp0pzCvuL2yK5qF6VH8SMCAwEAAaOCAuIwggLeMB8GA1Ud
IwQYMBaAFIG4DmOKiRIY5fo7O1CVn+blkBOFMB0GA1UdDgQWBBSW/cWH4YEVg69F
sUlhePZY92aN0zAeBgNVHREEFzAVghNqaXJhLWNhcmRzLm1pcm8uY29tMBMGA1Ud
IAQMMAowCAYGZ4EMAQIBMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF
BQcDATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnIybTAxLmFtYXpvbnRy
dXN0LmNvbS9yMm0wMS5jcmwwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzABhiFo
dHRwOi8vb2NzcC5yMm0wMS5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKGKmh0
dHA6Ly9jcnQucjJtMDEuYW1hem9udHJ1c3QuY29tL3IybTAxLmNlcjAMBgNVHRMB
Af8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDCMX5XRRmjRe5/ON6y
kEHrx8IhWiK/f9W1rXaa2Q5SzQAAAZ0p22YpAAAEAwBHMEUCIQDEHNj7+jk+UsK1
5+MSFCiQKG5FuePcorz8C6mXaoa/MQIgR+aYj6T43Y7ORuiHk7yvJoUSDgbiVL8F
9gCbdDVoT1IAdwDYCVU7lE96/8gWGW+UT4WrsPj8XodVJg8V0S5yu0VLFAAAAZ0p
22Y6AAAEAwBIMEYCIQD2TmtQQc+zE6ROJYDLba6TXtHS8mmsv935pNywhJSEOgIh
AKZitGkeJaUnoPcy8pByeSqYAg1GryIWdY1ar2Q78dW+AHUAlE5Dh/rswe+B8xkk
JqgYZQHH0184AgE/cmd9VTcuGdgAAAGdKdtmOQAABAMARjBEAiAhpDAs0Aq0CRnq
abEcTkmtGHDsdWgKl3Y9aP7bE0/zqQIgMncdRSYdeGV40gxKvQY3OV3aSIP/Sqgp
qJ1COJiJTzEwDQYJKoZIhvcNAQELBQADggEBAAcm+m2MKdFEip9T1kH4amSOA6Mj
blgHWTbEvYcOdhYmssvmiIU5+hdOyUyeYF8OXh2jahUKef+1n/hhzXLr0A4ySDN3
FZE0GbeYwaTIEc1Dnyj8UF9IKcsp8OyujYNK8aA77m7pQe4uWRbfNTisaCd/2kfD
d6a6l5J7JvCH4EkMfEDrKHvZatvLDzuiITDQLFhPss4ou9h6F1fMwn/xv/OV39hc
d3QP8jClh4h1ghCx0otQgbnCMapcL3qK8dhIMdja7tJzZfh9qE0ZsyF/CepuZCRE
a51L8sJNFYZ8esDLH2ZZCM1yx87ls2rpxgT/HxWPtNDUuyxOj2NSQ30Pjj0=
-----END CERTIFICATE-----
Ways to configure
There are two options to choose from when it comes to how the validation will be checked: