-
Go to Server Manager\System Properties\xmpp.domain and enter the full servername. In this example I’ll be using chat.domainy.com
-
Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from both the openfire config and the java
keystore
). -
On the Openfire server, change the password to the
keystore
on the openfire server:
/opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore
#enter a new password
Notes about /opt/openfire/resources/security/keystore:
This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.
Each domain name/common name is stored as an alias within the keystore.
- Import the CA public certificate into the
keystore
:
#copy the CA public certificate to your openfire server
#import it
/opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias ca.domainy.com
- Generate an RSA key pair that will be used to secure TLS channel to clients:
/opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com #note what you are entering must match the CA:
# First and last name: chat.domainy.com [Enter the name that you entered previously as the domain. Seems weird, but it is required.]
# OU: . [as in a dot, this is okay, or you can add something else]
# Organization: [name of your organization used in the CA]
# City: [name of the city used in the CA]
# State/Province: [name of the state/province used in the CA]
# Country Code: [two letter country code used in your CA]
# accept with yes
# enter a passphrase to protect the private key
## or simply [all must match CA]
# /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com -dname "CN=chat.domainy.com,O=Domainy\, Inc.,L=New York,ST=New York,C=US"
- Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:
/opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file chat_domainy_com.csr
#enter the password for the `keystore` ou had reset earlier.
#enter the passphrase for the private key you just generated.
- Get the certificate signed, or sign it with your own CA.
Here is a method for signing with an openssl driven CA:
#copy chat_domainy_com.csr to /root/ on your CA
scp chat_domainy_com.csr root@certauthserver:/root/
#logon to your CA
#this command invocation creates a cert that will expire in 10 years:
openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr
chmod 600 /root/ca/certs/chat_domainy_com.cer
#copy /root/ca/certs/chat_domainy_com.cer to the openfire server
scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/
-
You must edit the certificate before you import it into the
keystore
, removing everything before “-----BEGIN CERTIFICATE-----”. -
Copy the public certificate to the openfire server and import into
keystore
:
/opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file /root/chat_domainy_com.cer
- Restart openfire and access the webUI.
See this thread for questions about the CA cert being listed as Pending Approval, but the signed cert being CA Signed: CA Certificate imported into `keystore` awaits Certificate Authority reply in Openfire web UI - Openfire Support - Ignite Realtime Community Forums