Java + SSL + Keystore = Royal PITA
I just spent all morning reading and trying things from every SSL guide and support ticket on these forums and got nowhere.
I've finally figured out and documented the steps that actually work to get a signed SSL certificate installed on Openfire.
Note: Java's keytool DOES NOT WORK for importing Openfire's keystore!
0) Set Openfire's keystore to JKS mode:
xmpp.socket.ssl.storeType = JKS
1) Convert yourdomain.net.au cert to pkcs12 with private key:
openssl pkcs12 -export -in yourdomain.net.au.crt -inkey yourdomain.net.au.key -out yourdomain.net.au.key.pkcs12 -name yourdomain.net.au
2) Copy pkcs12 to workstation and install keystore-explorer
3) Create a new JKS KeyStore in keystore-explorer
4) Import pkcs12 to keystore-explorer
5) Append to cert chain all other upstream certs in zip file from your ssl provider
6) Save the keystore with changeit as keystore password
7) Copy keystore back to Openfire
scp keystore root@int-jabber-01:/usr/share/openfire/resources/security/keystore
8) Fix permissions
chmod 644 /usr/share/openfire/resources/security/keystore
chown openfire:openfire /usr/share/openfire/resources/security/keystore
9) Restart Openfire
service openfire restart