Gaston Dombiak

Simplifying certificate management in Wildfire

Blog Post created by Gaston Dombiak Champion on Dec 17, 2006

Every time I've had to deal with SSL/TLS certificate handling in Java it's been hugely frustrating and time consuming. There's a lack of good information and examples published, and getting anything done requires using multiple libraries (the built-in JCE in some cases, Bouncy Castle in others, etc). That's resulted in a functional but not very easy to use certificate handling feature in Wildfire. The numerous threads in the Wildfire forum posted by users trying to create and import certificates proved to me that we had more work to do on this feature.

 

A guiding philosophy for Wildfire is ease of use and and certificate management should follow that same spirit. The current certificate management tools in Wildfire are anything but easy to use. The command line keytool application is used to manage the Wildfire certificate store to create certificates, generate signing requests and import signed certificates. Just to make things a little more difficult, the XMPP specification states that a particular extension should be included in certificates to specify the domain of the XMPP server. It's not possible to configure and set that extension using keytool, so the previous workaround was to use OpenSSL to create certificates. That's a major pain given that OpenSSL and keytool use different formats, which requires an extra format conversation step. No wonder users are having so many problems! Wildfire 3.2 does away with all this complexity by turning the painful process into a few clicks in a web-based interface.

 

The Jabber Software Foundation (JSF) has also been working to make the certificate process easier by becoming an Intermediate Certification Authority for the XMPP network. It will soon be easier (and cheaper) to obtain a signed certificate that provides much better security than a self-signed certificate. I'm happy to announce that Wildfire 3.2 will fully support certificates created by the JSF ICA.

 

I was hoping to show some screenshots of the new certificate handling pages in Wildfire, but they haven't gotten the Vanderzanden touch yet to make them pretty. However, the 3.2 release gets closer every week, so look for the feature soon.

 

Outcomes