Sam McLeod

HOWTO: Import a signed SSL certificate into Openfire

Discussion created by Sam McLeod on Dec 4, 2014
Latest reply on Jan 24, 2015 by Daniel Castellanos

Java + SSL + Keystore = Royal PITA

 

I just spent all morning reading and trying things from every SSL guide and support ticket on these forums and got nowhere.

 

I've finally figured out and documented the steps that actually work to get a signed SSL certificate installed on Openfire.

 

Note: Java's keytool DOES NOT WORK for importing Openfire's keystore!

 

0) Set Openfire's keystore to JKS mode:

 

xmpp.socket.ssl.keystore =/usr/share/openfire/resources/security/keystore

xmpp.socket.ssl.storeType = JKS

 

Screen Shot 2014-12-05 at 14.27.51.png

 

1) Convert yourdomain.net.au cert to pkcs12 with private key:

 

openssl pkcs12 -export -in yourdomain.net.au.crt -inkey yourdomain.net.au.key -out yourdomain.net.au.key.pkcs12 -name yourdomain.net.au

 

2) Copy pkcs12 to workstation and install keystore-explorer

http://keystore-explorer.sourceforge.net

 

3) Create a new JKS KeyStore in keystore-explorer

 

4) Import pkcs12 to keystore-explorer

 

5) Append to cert chain all other upstream certs in zip file from your ssl provider

 

Screen Shot 2014-12-05 at 13.33.06.png

 

6) Save the keystore with changeit as keystore password

 

7) Copy keystore back to Openfire

 

scp keystore root@int-jabber-01:/usr/share/openfire/resources/security/keystore

 

8) Fix permissions

 

chmod 644 /usr/share/openfire/resources/security/keystore

chown openfire:openfire /usr/share/openfire/resources/security/keystore

 

9) Restart Openfire

 

service openfire restart

Outcomes