Configure SSL/TLS certificate trust for XMPP with a trusted CA (for client-to-server channel security) the non-UI (stable) way

  1. Go to Server Manager\System Properties\xmpp.domain and enter the full servername. In this example I’ll be using chat.domainy.com

  2. Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from both the openfire config and the java keystore).

  3. On the Openfire server, change the password to the keystore on the openfire server:

/opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore
#enter a new password

Notes about /opt/openfire/resources/security/keystore:

This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.

Each domain name/common name is stored as an alias within the keystore.

  1. Import the CA public certificate into the keystore:
#copy the CA public certificate to your openfire server
#import it
/opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias ca.domainy.com
  1. Generate an RSA key pair that will be used to secure TLS channel to clients:
/opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com #note what you are entering must match the CA:
# First and last name: chat.domainy.com [Enter the name that you entered previously as the domain.  Seems weird, but it is required.]
# OU: . [as in a dot, this is okay, or you can add something else]
# Organization: [name of your organization used in the CA]
# City: [name of the city used in the CA]
# State/Province: [name of the state/province used in the CA]
# Country Code: [two letter country code used in your CA]
# accept with yes
# enter a passphrase to protect the private key
## or simply [all must match CA]
# /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com -dname "CN=chat.domainy.com,O=Domainy\, Inc.,L=New York,ST=New York,C=US"
  1. Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:
/opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file chat_domainy_com.csr
#enter the password for the `keystore` ou had reset earlier.
#enter the passphrase for the private key you just generated.
  1. Get the certificate signed, or sign it with your own CA.

Here is a method for signing with an openssl driven CA:

#copy chat_domainy_com.csr to /root/ on your CA
scp chat_domainy_com.csr root@certauthserver:/root/
#logon to your CA
#this command invocation creates a cert that will expire in 10 years:
openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr
chmod 600 /root/ca/certs/chat_domainy_com.cer
#copy /root/ca/certs/chat_domainy_com.cer to the openfire server
scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/
  1. You must edit the certificate before you import it into the keystore, removing everything before “-----BEGIN CERTIFICATE-----”.

  2. Copy the public certificate to the openfire server and import into keystore:

/opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file /root/chat_domainy_com.cer
  1. Restart openfire and access the webUI.

See this thread for questions about the CA cert being listed as Pending Approval, but the signed cert being CA Signed: CA Certificate imported into `keystore` awaits Certificate Authority reply in Openfire web UI - Openfire Support - Ignite Realtime Community Forums

1 Like