Help on how to set up the certificate in openfire

I have prepared a certificate for my domain through let’s encrypt. Please tell me the steps to add it in openfire.
If you have a document in this regard, please provide it to me.
I have no information about this
Many thanks


Under Server there is a second navbar which contains TLS Certficates, this will bring you to the certificate store.

You should see Identity store, click Manage Store Contents. Delete the self signed certificate which is created by default by Openfire, then click imported here at the bottom of the explanation paragraph(s).

If the certificate is not password protected, leave the field blank.

Stick the private key (.key) contents into Content of Private Key file: and the fullchain (.pem) into Contents of Certificate file:, then click save.

The certificate should then show up as expected.

Good luck!

1 Like


As pointed out by Guus on XMPP, there is also a CertificateManager plugin which takes care of the certificate renewals for you, just need to install the plugin under Plugins. :smile:

thanks for your answer
I did the following steps in order:
1- First, in the path you mentioned, I deleted the certificate that Openfire creates by default.
2- I entered the keys like this
For the certificate, I got a certificate from the letsencrypt site (free of course)
First, I went to /etc/letsencrypt/live/MY_DOMAIN.COM
Here there were files called cert.pem, chain.pem, fullchain.pem and privkey.pem.
I entered the content of the privkey.pem file in the Content of Private Key file: section
And then I entered the content of the fullchain.pem file in the Content of Certificate file: section
3- Then I saved and restarted the openfire service
But such a message is shown on the page.
please guide me.
Besides, on the site that I searched, some users were doing this by using keytool commands. Like the links below

Please advise if there is anything

The import of the certificate seems to have been successful.

Ideally, a certificate is used that contains entries for all of these domain names:

  • the XMPP domain name (eg:
  • the FQDN of the server (or servers when running a cluster) on which Openfire is installed (eg:
  • All domain names of XMPP services ran by Openfire. These, by default, include:
    – the multi-user chat service called ‘conference’ (eg:
    – the pubsub service (eg:

When a certificate is installed that does not cover all of these, then the warning that you’re copy/pasting is displayed by Openfire.

Some or all functionality of Openfire might be unavailable (or not available through an encrypted channel) when not all of these entries are present in the certificate. In many cases, you can still use Openfire perfectly fine.

Thanks for your reply my friend
Please help me how to get rid of this error message
Also, in the address I mentioned in the post above, why do some users do this by running commands through the command line?
Please explain in simple language. I recently got acquainted with openfire.
Many thanks

To get rid of the warning message, you’ll need to import a certificate with all of the names in it, as I explained above.

The command-line management of the repository of certificates is documented here: Openfire: TLS Guide

Thanks for your reply dear friend
Because I couldn’t use the guidance on the page you introduced, please follow the steps to do the work in a simple way, considering that I got the certificate from let’s encrypt and the cert.pem, chain.pem, fullchain.pem, privkey files. I have the .pem file, explain it in a simple way.
Please only state the commands that I should execute.

I’m sorry, I’m unable to do that.

Can other friends help me?

Nobody can provide you copy and paste commands for you, your situation will differ from person to person (for example FQDNs).

What you need here is a SAN certificate (Subject Alternative Name), these are certificates with multiple DNS names.

A quick google search for letsencrypt yielded this:

You will need to know all the FQDNs you require, and then issue a SAN certificate with them all included, this can then be added.

The other alternative is simply to use a wildcard certificate, see: Certbot Instructions | Certbot

Or you can give the CertificateManager plugin a shot.

Apart from that you need to configure this yourself.

Good luck :slight_smile:

1 Like

I have done all these things on the server side
For example, I installed the certificate for Apache and…
My problem is how to use certificate in openfire
Should I use the keytool command for this?
I don’t know how to work with it
In the explanation above, I said that I added the certificate received from letsencrypt manually in the openfire web console. But it still shows the error message I mentioned above.


The certificate you currently have is not a SAN certificate, or the certificate does not contain all the alternative names required. Hence, the warning by openfire which Guus has explained.

In my previous message I have explained how you get issue a SAN certificate, please follow the documentation Guus has given you, and also the links I have provided on SAN certificates (and also your own google research) to get this working.

Note, Openfire can still function without the other alternative names, however things such as MUCs, http binding and pubsub will not function without the certificates, or they will function but without encryption.

Good luck.

They will probably work just fine for local users. Users from remote domains can have issues connecting to them though.

Id suggest a wildcard cert which lets encrypt supports.

After searching the internet, I found this page that provided a file to install the certificate in openfire.

After running it on the server, it showed the following message:

root@root:~# bash
Importing keystore /tmp/keystore.p12 to /tmp/keystore...
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Does this file solve the problem of installing the certificate in openfire?
But it still shows an error message on the Openfire Identity Certificate Store page

As I tried to say before: I do not think that you have a problem installing certificates in Openfire. I think you now have successfully imported the same incomplete certificate in Openfire.

I believe that the problem is not with the importing process, but with the certificate itself.

Thanks for the tip
I don’t understand, how can I solve the certificate problem
I got the certificate from letsencrypt. Besides, it did not give any error during the process of installing the certificate on the Apache service. And it was easy to install.

I’m not suggesting that the certificate is invalid. I’m suggesting that it does not contain all of the domain names that Openfire wants a certificate for.

I’ve explained which domain names Openfire wants here: Help on how to set up the certificate in openfire - #5 by guus