How can I import an SSL certificate and key?

LonelyPixel · October 9, 2007, 10:50am

Hello,

I noticed that I didn’t import my signed SSL certificate in Openfire yet. So I wanted to do that. But it’s a lot harder than I expected. For any other service that’s running on that box, I just give it the filename of the private key and certificate (they’re both in one file) and it just works. For Openfire, I need to do something with keytool, actually I need to copy the private key and stuff to a second location on the system which may be less secured than root file access.

But actually, it doesn’t work anyway. When I try to import the file with both parts, as described in the SSL documentation here on this site, keytool just say this wouldn’t be an X.509 key. But I’m pretty sure it is because any other application can read it. So I just gave it the certificate part and that worked. But obviously the private key was still missing which caused the Openfire web interface to throw an exception when accessing that page, saying this is no PrivateKey instance or something. So I extracted the private key part from the file and copied it to a separate file. Importing this failed because this “alias” was already defined in the keystore. Deleting it all again and only importing the private key again said this is no X.509 key.

So, now I’m sitting here and can’t use my SSL key. Any suggestions?

Aznidin · October 9, 2007, 1:05pm

Hi,

“Keytool does not let you import an existing private key for which you already have a certificate.” That statement is mentioned here together with a suggested solution. Also, I think Import SSL Key and Certificate would be helpful to you.

LonelyPixel · October 9, 2007, 1:39pm

Okay, I could now create a new Java keystore file with my private key and the certificate in it. It’s a bit of a complicated procedure that’s undocumented from the Openfire site, too, but it helps a bit further. After replacing the keystore file and restarting the Openfire server, the certificate shows up in the web interface.

The remaining problem is that Openfire asserts that my key wasn’t signed by a CA, but it is. How can I fix that?

Aznidin · October 9, 2007, 2:08pm

I can’t really speak about security, but regarding your problem, I think it could be solved if you do something like cat your.crt your_CA_cross_intermediate.crt your_CA_intermidiate.crt > certchain.txt and use certchain.txt when you generate your pkcs12 file, e.g. openssl pkcs12 -export -in certchain.txt -inkey your.key -out your.pkcs12 -name rsakey -passout pass:yourKeyPass.

LonelyPixel · October 9, 2007, 2:18pm

What are all those files between ‘cat’ and ‘> certchain.txt’? I don’t have anything similar to it. And, I’m no SSL expert, but I believe the CA has not something like a chain certificate.

Aznidin · October 9, 2007, 2:20pm

In my case, I downloaded them from my CA’s website.