I am trying to import my Let’s Encrypt certificate into the keystore at the command line but I seem to be having a problem in that I can import them but the Openfire Identity Certificate Store keeps giving me the warning A certificate for the domain of this server is missing. Click here to generate a self-signed certificate or here to import a signed certificate and its private key.
As my Let’s Encrypt certificate does not come with a pkcs12 file I create it first with:
openssl pkcs12 -export -name www.howitts.co.uk -out /root/keystore.p12 -inkey /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem -in /etc/letsencrypt/live/www.howitts.co.uk/fullchain.pem -password "pass:changeit"
This is using the fullchain file, so certificate and intermediate certificate.
I then import it with:
keytool -importkeystore -alias www.howitts.co.uk -destkeystore /usr/share/openfire/resources/security/keystore -deststorepass changeit -destkeypass changeit -srcstoretype PKCS12 -srcstorepass changeit -srckeystore /root/keystore.p12
It imports with a warning:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/share/openfire/resources/security/keystore -destkeystore /usr/share/openfire/resources/security/keystore -deststoretype pkcs12".
Which is odd as I am importing it as a pkcs12, but anyway … I still get the when I go to manage the store contents.
I have tried separately importing the intermediate/chain certificate into the truststore with:
keytool -import -trustcacerts -alias www.howitts.co.uk -file /etc/letsencrypt/live/www.howitts.co.uk/chain.pem -keystore /usr/share/openfire/resources/security/truststore -storepass changeit
But it does not get rid of the warning. How to I import the certificates correctly?