Certificate for Openfire and spark

I am trying to get a Certificate from our corporate CA to work for SSL connections with spark. The certificate is installed on the Openfire server version 4.1.6 with no problem. The certificate is working for the connection to the https admin site. I have read that the certificate with DSA is not required.

The spark clients are 2.8.3 and they keep getting the unable to verify certificate login error. I understand that you can accept all certificates on the advanced menu of spark but I would prefer to have spark work without this change since we are going to push this company wide. Where is the break happening for the Spark client to accept the certificate?

Spark is Java application and it uses Java’s truststore for certificates. Your local cert and CA are not known to Java, so not known to Spark. You will have to import this cert into every Spark client Java truststore. Or just into one and then distribute it somehow to clients.

Can’t give any detailed instructions as i have never done this and i only think it is possible (in theory). I have done this for some other Java based app though. It involved using keytool to import my CA generated cert to Java keystore. I think you can find guides on the Internet.

And you will also have to use the not released yet 2.9.0 version as prior to that Spark didn’t have any certificates management code, that’s why accept all certificates option had to be added, so it would be possible to login at all. Since 2.9.0 truststore is created in C:\Users\user\AppData\Roaming\Spark\security

Also, current 2.9.0 build has an option to accept a single certificate on a first login, so maybe you won’t have to import anything. But i can’t say when 2.9.0 could be released, still has many rough edges.

I did get it to work and here is the process

  • Installed spark 2.9.0
  • Connected to the openfire server
  • The server certificate chain was shown and I accepted the Root Cert.
  • Tracked down which file spark uses to store the certificates
    C:\Program Files (x86)\Spark\jre\lib\security\cacerts
  • When deploying spark 2.9.0 to other computers, I overwrote the cacert file with the one
    created from the above install

Spark now does not give the cert error but since it is still in development the process may change going forward. Thanks for the help in figuring this out.

1 Like

Did you run it with an admin? I thought it should save into cacerts file in the user’s profile (AppData), not in Program files. But of course either way works.

I don’t think this process will change before 2.9.0 release, so this solution should work. Here’s the list of issues blocking 2.9.0 for now Issues blocking 2.9.0 release

Although, Smack developer now works on updating Spark to the latest Smack library version and it might have something changed about the certificates, which might require changes to Spark. A minor possibility.