powered by Jive Software

Cannot renew certificate


I am trying to renew the certificate in Openfire, using the GUI fails so I have resorted to command line. I got the steps below from:


RSA Private Key : key.pem
Certificate for XMPP server domain : cert.pem
Root CA Certificate : rootca-cert.pem
Intermediate CA Certificate : interca-cert.pem

Here are the files I am using:
key.pem = c.pem = unencrypted private key
cert.pem = c.crt = self-signed certificate
rootca-cert.pem = certnewsigned.p7b = signed certificate chain from server
interca-cert.pem = certnewsigned.cer = signed certificate from server

I have already done the following:
Dumped the files “key.pem”, “cert.pem”, “rootca-cert.pem” and “interca-cert.pem” into /opt/openfire/resources/security/openfire-ssl/
Copied the file KeyStoreImport.java from http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ to /opt/openfire/resources/security/openfire-ssl/

  1. Stop Openfire - /opt/openfire/jabber stop

  2. Next backup keystore and truststore:
    $ cp -a /opt/openfire/resources/security/keystore keystore.bkup
    $ cp -a /opt/openfire/resources/security/truststore truststore.bkup

  3. Import the Root CA certificate into openfire truststore
    $ keytool -importcert -alias “rootca” -keystore /opt/openfire/security/truststore -file rootca-cert.pem

  4. Remove the default certificates in keystore using keytool (note - this step failed)
    $ keytool -delete -keystore /opt/openfire/resources/security/keystore -alias rsa
    $ keytool -delete -keystore /opt/openfire/resources/security/keystore -alias dsa

  5. Convert key into DER format
    $ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

  6. Convert server certificate and all intermediate certificates into DER format and combine them to create a chain certificate
    $ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
    $ openssl x509 -in interca-cert.pem -inform PEM -out interca-cert.der -outform DER
    $ cat cert.der interca-cert.der > chain-cert.der

  7. compile KeyStoreImport.java
    $ javac /opt/openfire/resources/security/openfire-ssl/KeyStoreImport.java

  8. Add the domain chain certificate and the private key to keystore
    $ java KeyStoreImport /opt/openfire/resources/security/openfire-ssl/keystore chain-cert.der key.der “isecpartners.com_rsa”


When I run step 8, I get the error below:

java.lang.ArrayIndexOutOfBoundsException: 3
at KeyStoreImport.main(KeyStoreImport.java:15)

I having been working on this issue for two weeks now and have not had any luck working around this issue. Has anyone updated their Openfire certificate before with success? If so, how should it be done?

Thanks in advance!