This document explains the available options for using certificates in Openfire. Certificates need to be signed by a trusted entity, known as a Certificate Authority (CA), to be accepted by clients. However, it is also possible to use self-signed certificates although they are only recommended for test environments. The following list enumerates the different options you have for signing and using certificates in Openfire:
Create your own self-signed certificate and use it (only recommended for testing)
Create a new self-signed certificate, send a certificate signing request (CSR) to a Certificate Authority (CA) and once the CA has signed the certificate import the new signed certificate
Ask the CA to create the certificate for you and import the private key and signed certificate sent by the CA
Openfire supports all of the above options but before showing you how to use them lets review some basic concepts.
Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one being the public key and the other being the private key.
Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA. A RSA key can be used both for encryption and for signing. A DSA key can only be used for signing. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for. By default, keytool creates DSA keys. It is recommended to create an RSA and a DSA key for each install since it has been reported that both type of keys are used by clients.
Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. To create a certificate, you need to start with a certificate
request (or, as some certificate authorities like to put it, “certificate signing request”, since that’s exactly what they do, they sign it and give you the result back, thus making it authentic according to their policies). A certificate request can then be sent to a certificate authority to get it signed into a certificate, or if you need a self-signed certificate (because you just want a test certificate).
Import into Openfire
As we already mentioned, Openfire 3.2.1 has support for creating self-signed certificates, sending signature requests to CAs, importing signed certificates and importing private keys. Fortunately, there is no need to use command line tools or run conversion scripts to import certificates into Openfire. Just log into the admin console and choose the option that best fits you.
Create Self-signed Certificate
After completing the setup process Openfire will create an RSA and a DSA self-signed certificates for the domain specified during the setup. If one or both certificates are deleted then Openfire will offer the option to create new self-signed certificates.
Create Self-signed certificate, Send a Certificate Signing Request (CSR) and Import Final Certificate
After completing the information about the certificate issuer (e.g. Company and Location) Openfire will generate the signing request to be sent to the CA. Once the CA has signed the certificate, Openfire will allow you to paste the reply and import it into Openfire.
Import Private Key and Signed Certificate Created by CA
Some CAs will do the certificate creation and signing work for you. In this case all you need to do is import the private key and signed certificate into Openfire. Openfire will accept encrypted private keys (AES algorithms are currently not supported) and also not encrypted keys. If you need to decrypt a private key you can use OpenSSL. Just execute openssl rsa -in ssl.key -out decryptedssl.key where ssl.key is the encrypted file and decryptedssl.key is the new file to generate with the decrypted key.
If you want to use with OpenSSL to generate your own private key and self-signed certificate and import them into Openfire then follow this short guide.
Note: The import-certificate.jsp page is not accessible from the menu in Openfire 3.2.1 so you will need to enter the url manually.
Coolcat had some problems with an old keytool program and did post another step-by-step description here