Sam McLeod

HOWTO: Import a signed SSL certificate into Openfire

Discussion created by Sam McLeod on Dec 4, 2014
Latest reply on Jan 24, 2015 by Daniel Castellanos

Java + SSL + Keystore = Royal PITA


I just spent all morning reading and trying things from every SSL guide and support ticket on these forums and got nowhere.


I've finally figured out and documented the steps that actually work to get a signed SSL certificate installed on Openfire.


Note: Java's keytool DOES NOT WORK for importing Openfire's keystore!


0) Set Openfire's keystore to JKS mode:


xmpp.socket.ssl.keystore =/usr/share/openfire/resources/security/keystore

xmpp.socket.ssl.storeType = JKS


Screen Shot 2014-12-05 at 14.27.51.png


1) Convert cert to pkcs12 with private key:


openssl pkcs12 -export -in -inkey -out -name


2) Copy pkcs12 to workstation and install keystore-explorer


3) Create a new JKS KeyStore in keystore-explorer


4) Import pkcs12 to keystore-explorer


5) Append to cert chain all other upstream certs in zip file from your ssl provider


Screen Shot 2014-12-05 at 13.33.06.png


6) Save the keystore with changeit as keystore password


7) Copy keystore back to Openfire


scp keystore root@int-jabber-01:/usr/share/openfire/resources/security/keystore


8) Fix permissions


chmod 644 /usr/share/openfire/resources/security/keystore

chown openfire:openfire /usr/share/openfire/resources/security/keystore


9) Restart Openfire


service openfire restart