Available on: Enterprise Plan
Available for: Jira on-premise (Server / Data Center)
Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise plans and does not require any configuration on the Miro end.
⚠️ Note that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ.
Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter our certificate values instead of ENTER_MIRO_CERTIFICATE_HERE.
Validating via the certificate
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $cert_old "ENTER_OLD_MIRO_CERTIFICATE_HERE";
set $cert_new "ENTER_NEW_MIRO_CERTIFICATE_HERE";
set $valid_cert_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_raw_cert ~ $cert_old) { set $valid_cert_flag 1; }
if ($ssl_client_raw_cert ~ $cert_new) { set $valid_cert_flag 1; }
if ($valid_cert_flag != 1) { return 403 "Invalid certificate\n"; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Validating via the certificate's fingerprint
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $fingerprint_old "ENTER_OLD_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $fingerprint_new "ENTER_NEW_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $valid_fingerprint_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_fingerprint = $fingerprint_old) { set $valid_fingerprint_flag 1; }
if ($ssl_client_fingerprint = $fingerprint_new) { set $valid_fingerprint_flag 1; }
if ($valid_fingerprint_flag != 1) { return 403; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Miro certificates
The new certificate is valid until March 3, 2026.
-----BEGIN CERTIFICATE----- MIIGpTCCBY2gAwIBAgIIbaA2mhVx/aAwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjUwMzA2MDczMzM5WhcN MjYwMzAzMDkyMTEyWjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1pcm8uY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesjXzQW6R7r8jss NNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6MJQTRXn6dBRMr 2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgULZx0LI/KPdPxC umZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJqB1CSzslQXBV IB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt4kEkeSX7UgXF 6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhkscR5juzGHQID AQABo4IDTjCCA0owDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6 Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS00MTA2NS5jcmwwXQYDVR0gBFYwVDBI BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRq MGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEF BQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5 L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjA3BgNV HREEMDAughNqaXJhLWNhcmRzLm1pcm8uY29tghd3d3cuamlyYS1jYXJkcy5taXJv LmNvbTAdBgNVHQ4EFgQU2wiZ/76DT0QSteUPWyBAumMf5WcwggF+BgorBgEEAdZ5 AgQCBIIBbgSCAWoBaAB1AA5XlLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4h AAABlWpf1PEAAAQDAEYwRAIgBBQQGJQkwhokMXvDY9I1vpoSa32LYQ5ZuMnvszku n0YCIGMGcLWstkn3w9R1rt5tkdig6x5lvDxD7SiXdlPTcTCOAHcAZBHEbKQS7KeJ HKICLgC8q08oB9QeNSer6v7VA8l9zfAAAAGVal/WEQAABAMASDBGAiEAzHNCpKCV CibQO2srPHm7dIOTYV195V7DgzAzzQW55OgCIQDfZcnbV/2SmLTDHaC0Wa2fEUIL aEWfjwmd0W2S1dgv6AB2AMs49xWJfIShRF9bwd37yW7ymlnNRwppBYWwyxTDFFjn AAABlWpf1ukAAAQDAEcwRQIhAOxJmzEchKWsyYGFmbnxltjVix51fCL9FO5iTpUg tJWPAiBnz/LqP/IFQ7X0rgzLDNofv/8U6XW81EqrXL/GAhvlszANBgkqhkiG9w0B AQsFAAOCAQEAh6+0QB+bufxxhRy9zKq4MCAnqnyRgCJyQjUrwdr6kXOD9uvuyMtH jMERa+Q1/l00zNzE3u4j7u5TaTTZK7pj6GMUDUtEZU6zRFnbB4pKKop8ycIeaw5L ++w827r0b6+B2rd/JN9uHP/gWDJ/QRlLPVVl3fOs31Xp978G9wlch+oCUfFHW2H9 1vwn5v35G9DiTPl2ulRqr25k2Bi92G7IRJ9n51iHJpzEF+wUdZx/vZyHnBdDp1DK QDS5t4yGOW+VeINyw5gv5eQqw1j5+Q7PDlPODs1kQrVbuT/rV+bjPsQbPADAoLRP Mz8ZzEaMBqf35vY6DMTX46gig3K12sumYQ== -----END CERTIFICATE-----
The old certificate is valid until April 6, 2025.
-----BEGIN CERTIFICATE-----
MIIGpTCCBY2gAwIBAgIIQgAbkcMlgcgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjQwMzA1MDczMDI4WhcN
MjUwNDA2MDczMDI4WjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1pcm8uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesjXzQW6R7r8jss
NNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6MJQTRXn6dBRMr
2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgULZx0LI/KPdPxC
umZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJqB1CSzslQXBV
IB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt4kEkeSX7UgXF
6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhkscR5juzGHQID
AQABo4IDTjCCA0owDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6
Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0xODIzNS5jcmwwXQYDVR0gBFYwVDBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRq
MGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEF
BQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjA3BgNV
HREEMDAughNqaXJhLWNhcmRzLm1pcm8uY29tghd3d3cuamlyYS1jYXJkcy5taXJv
LmNvbTAdBgNVHQ4EFgQU2wiZ/76DT0QSteUPWyBAumMf5WcwggF+BgorBgEEAdZ5
AgQCBIIBbgSCAWoBaAB1AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnf
AAABjg2FZN4AAAQDAEYwRAIgBc+PVwPjZPnnD0zyCPlQ8+up0MsFlkf7z9PlPi2v
OeYCIBDKD4doMh7x4hyIP+pqzmQGYTdX/o42KHwvrkECwLo6AHYAfVkeEuF4Knsc
YWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGODYVl6gAABAMARzBFAiEA4V4cbend
3S3vD+f0y9Fwka3ckS7Z8lr38PW88pJouGECICfKUoms5n/P/UJiFH/Zq2ZHG8+/
DzfWDctoQdUDWGZVAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAA
AAGODYVmaQAABAMASDBGAiEAufiFjn4hhkI237cz/mKGRh7nSqBF1KG03eZlE05e
3NMCIQCUInWAC/aNHTAktslNOoDeLxtpfg0M5L5sFpw+77AkeDANBgkqhkiG9w0B
AQsFAAOCAQEAGprOBgqK1Rr2aclZPjtPK6Kgvb6z1D/jBjEfNYVwP8n9BZ7Ewhwf
azl0I+uLqjXojOKPdMmf/3ZyM+2lj7QwCFeKzshKmSvINE48NZX6s5b50JK9a/Yl
LyJvnIv2dZvPktQ1H3of3kYqOAxynzFGJ97iZBXjCiESZU7V+gm4d3ILQLqJaxX9
UPyqVFDoJQQhNbhnjhTdieQdqWte43vMvrgmr1Y6Chd+kY7RxfHcu+2CUEqQo3ay
BrfLpItd34cR58VBcHTrvpK4nFWODCeNqhracTwvyzoGHlKli/nXod183CSSzcFG
0ghxdD7Lyj4notIkK3L2UHKOxz5UqD8kog==
-----END CERTIFICATE-----
Ways to configure
There are two options to choose from when it comes to how the validation will be checked: