Comodo 2048 Bit SSL Certificate in OpenFire

I spent about 3 solid work days attempting to import 2048 bit RSA certificates signed by Comodo/InstantSSL. So to save you guys some frustration I decided to write a document that covers what worked for me.

These directions assume you have:

  • Ubuntu Server 11.04 + GNOME (what I was using but I’m sure other versions may work as well)

  • Java JRE 1.6 (although 1.7 works as well)

  • OpenFire 3.7.1

**Step 0 - Purchase the Certificate

The certificate verification process may take a while so I’d recommend purchasing your certificate first.

From purchase the InstantSSL. Make sure to choose “OTHER” for the dropdown menu for Web Server and choose the 2048-bit RSA product.

Step 1 – Install and configure JRE 6


For Ubuntun 11.10+ (skip to “directions continued” if you are using 11.04):

I managed to install Sun Java in 11.10 by using partner repository from 11.04:

sudo add-apt-repository "deb natty partner"
sudo apt-get update

Directions continued:

To install Java 6 JRE, simply do:

sudo apt-get install sun-java6-jre

“Enter Password”

The JRE will be installed automagically

Next, we want to make sure JRE 6 is the default for java on our server.

sudo update-alternatives --config java

You may also have OpenJDK installed instead of the Oracle JRE. Be sure to select the option corresponding to /usr/lib/jvm/java-6-sun/jre/bin/java (option 2 on my server).

Optionally, you can install Java 1.7 on Ubuntu using this guide. I have just set up another OpenFire server using 1.7 and “so far” no problems. Here is a link to the original Java 7 for linux (not update 1).

Step 2 – Install OpenFire

Install OpenFire using the Debian package. Other install methods will likely result in the directories being different from this guide. So keep that in mind if you used the manual tar method.

Step 3 – Delete Existing Certificates

Log in to your Openfire server at http://yourdomain:9090 via a web browser

Under “Server Settings” select “Server Certificates”

Delete the auto-generated RSA certificate. Leave the DSA certificate alone since some clients may require it. OpenFire will warn you about missing the certificate but you can safely ignore that.

Step 4 – Install JCE Unlimited Strength Jurisdiction Policy Files 6

You cannot use higher forms of encryption with the standard JRE (why Oracle, why?).


Download the files from

Copy the files US_export_policy.jar and local_policy.jar to /usr/lib/jvm/java-6-sun/jre/lib/security overwriting what already exist. Be sure to retain the permissions the old files had (right-click on file, choose properties, then permissions tab, and make sure the user and group are set to openfire).

Java 7 also requires this pack as a separate download specific to version 7. The directions are the same except for the directories.

Openfire will continue to use the old JRE until its environment variables are updated. I was too lazy to do this, so I rebooted my server. This worked for me!

**Step 5 – Set Permissions and Ownership

The private key will be generated inside the Java keystore file located in the directory /usr/share/openfire/resources/security/ . Although, the security folder is just a pointer to /etc/openfire/security/ .

The Debian installer automagically creates a user and a group named “openfire”. All the permissions for directories and files created by the installer will have their ownership set to openfire. Make sure to go to Users and Groups and set the user you are logged in as is part of the openfire group. You may have to log out and then back in for these settings to take effect (although I’m sure there’s some Linux command I don’t know that’s faster).

Step 6 – Generate Private Key

OpenFire auto-generates a private key within the web admin but I doubt it’s 2048 bit, so you are forced to use java keytool. I discovered an odd thing with OpenFire at this point. The default password for the OpenFire keystore and truststore is “changeit”. I attempted to change the password using this method but it did not seem to matter when it came to generating the private key. I found that if I set the private key’s password to anything but “private key” that OpenFire would claim that the keystore’s certificates had been corrupted. I tried many combinations of settings so I feel pretty safe in saying this. So for the purpose of this guide I will assume OpenFire 3.7.1 has a bug and that you will need to use the password “changeit”.

a. Open a Terminal window

b. cd /etc/openfire/security

c. sudo keytool -genkey -keyalg RSA -keysize 2048 -keystore keystore -alias

d. enter root password

The following questions will be asked if not known:
Enter keystore password: changeit
What is your first and last name? - This is the Common Name (Domain Name), not a person’s name (e.g.
What is the name of your organizational unit? companyname
What is the name of your organization? companyname
What is the name of your City or Locality? yourmama
What is the name of your State or Province? FAT
What is the two-letter country code for this unit? US (assuming america)

    You will then be asked if the information is correct:
    *Is, OU=Your Organizational Unit, O=Your Organization,         L=Your City, ST=Your State, C=Your Country correct?*

When you answer ‘y’ or ‘yes’ the password is then requested:
Enter key password for : changeit

Step 6 – Submit the CSR

Reset your OpenFire server with this command in the terminal:

sudo /etc/init.d/openfire restart

Log in to your Openfire server at http://yourdomain:9090 via a web browser

Under “Server Settings” select “Server Certificates”

You should see your self-signed certificate in the list now. If not…god help you.

At the bottom of the page OpenFire “should” generate the code for a Certificate Signign Request (CSR). Use a web browser and go to:

Log in at the top right.

Click on SSL Certificates.

You should see your SSL Cert listed and a button for Add CSR. Copy and paste the CSR code from the OpenFire web admin into the Comodo popup.

Call Comodo at (888) 266-6361. Choose Option 4 for the Verification Team and then option 1. Talk to (hopefully) knowledgeable operator and get your certificate verified.

Refresh the web browser for Comodo in the SSL Certificates management page. Click “Download as .zip”

**Step 7 – Install the Certificate Authority Reply

The .zip file will be named

Use the GUI-based Archive Manager to extract these 3 files to /etc/openfire/security/


AddTrustExternalCARoot.crt (the root in the certificate chain)

COMODOHigh-AssuranceSecureServerCA.crt (the intermediate in the certificate chain)

Using a text editor create a file named combine.crt in /etc/openfire/security/ . You need to combine the code from all 3 .crt files in order to create a complete chain that OpenFire can successfully read. Importing the .crt files one at a time using keytool will not work, since it will not be interpreted as a complete Certificate Authority Reply.

First, copy and paste ALL the code from AddTrustExternalCARoot.crt into combine.crt. Put one carriage return (Enter key on keyboard) between each section of code. Then paste in COMODOHigh-AssuranceSecureServerCA.crt . Then finally yourdomain.crt . Save combine.crt.

I assume at this point the terminal window is still open at /etc/openfire/security/

In the terminal type

sudo keytool -import -keystore keystore -alias -file combine.crt

Enter “changeit” for the keystore password

Enter [y] for yes.

Keytool “should” give you a message that you imported a certificate authority reply.

sudo /etc/init.d/openfire restart

Browse to your Openfire server at http://yourserver:9090

Under “Server Settings” select “Server Certificates”

If everythign went right then under the Status column you will see “CA Signed”. Angels will descend from heaven, inspiring you with a beautific chorus. If you do not see angels, do not worry. Your OpenFire Server is now set up properly with a signed SSL certificate.

Step – Optional Setup Options

As I noted I tried changing System Properties with no luck. But just in case it helps you…

Browse to your Openfire server at http://yourserver:9090

Under “Server Manager”, select “System Properties”

Add/edit the following properties with the following values:

Property Name – Property Value – true
xmpp.socket.ssl.port – 5223
xmpp.socket.ssl.storeType – JKS
xmpp.socket.ssl.keystore – resources/security/keystore
xmpp.socket.ssl.keypass – changeit
xmpp.socket.ssl.truststore – resources/security/truststore
xmpp.socket.ssl.trustpass – changeit

I personally did not need to set any of these variables. As noted before I tried changing the keypass variable and that made no difference.


Guides I found useful (and which this document is based upon): e.html =244

Getting following screen while installing entrust(CA) signed certificates.

Please note that I am given 4 certificates

1 L1KRoot.txt

2 L1Kchain.txt

3 L1Kchainroot.txt

4 entrustcert.crt

Not sure which one to use in which text area and getting mentioned error. As per CA’s reply root certificate has to be excluded but rest, they don’t know anything about Openfire. Please guide me how to set it up.

Note: Forgot to mention that I’ve been working on SSL Installation since last month and didn’t get any success…