powered by Jive Software

How do I install a wildcard SSL certificate?

Is there a clear example of how I can import an SSL wildcard certificate into openfire 3.6.4?

I have a wildcard.crt and wildcard.key file (which apache uses fine) and was openfire to use it instead of the self signed so users will not get prompted all the time for the unknown certificate.

Openfire can import a certificate and key but when I enter mine I get:

“There was an error one importing private key and signed certificate.”

Very NOT-helpful!!

Is there more details logged anywhere?

A proper procedure ?

What are these boxes expecting for certificate and key types?

grrr. help?


I solved my problem. I found an article that went through the steps step-by-step (http://www.lovelysystems.com/importing-an-existing-ssl-certificate-to-openfire/). I have pasted it here:

  • openssl pkcs8 -topk8 -nocrypt -in lovelysystems.com.key -inform PEM -out lovelysystems.key.der -outform DER

  • openssl x509 -in _.lovelysystems.com.crt -inform PEM -out _.lovelysystems.com.crt.der -outform DER

Get some java utilities to create a java key store (yes java still rosucks, thanks to AgentBob again)

  • ImportKey.java, ImportKey.class (Java 5) (attached local copy to this forum)

Create a new keystore (/root/keystore.ImportKey):

(assuming you have Java installed in /usr/local/bin/version)

  • export PATH=/usr/local/java/jdk1.5.0_17/bin:$PATH

  • export JAVA_HOME=/usr/local/java/jdk1.5.0_17/

  • java ImportKey lovelysystems.com.key.der _.lovelysystems.com.crt.der

change the keytool passwords back to the defaults (from ‘importkey’ to ‘changeit’)

  • keytool -storepasswd -keystore /root/keystore.ImportKey
    • keytool -keypasswd -alias importkey -keystore keystore.ImportKey

Add the GoDaddy Intermediate Certificate:

* wget –no-check-certificate [https://certificates.godaddy.com/repository/sf_issuing.crt](https://certificates.godaddy.com/repository/sf_issuing.crt)
* keytool -import -alias intermed -file sf_issuing.crt -keystore /root/keystore -storepass changeit -trustcacerts

Move it to openfire (probably back up the old first) and restart openfire

  • mv /root/keystore.ImportKey /opt/openfire/resources/security/keystore
    • /opt/openfire/bin/openfire stop
    • /opt/openfire/bin/openfire start

In case of errors:

  • tail -f -n 1000 /opt/openfire/logs/error.log

Last step no here is that I had to then go to the interface and go to the sertificates screen and submit the public certificate in the box and hit save.

Hope this is helpful
importkey.zip (4683 Bytes)

Hi Dion,

i know it is a long time ago since you have written this post, but maybe you or somebody else could help me with my openfire server and a wildcard certificate. I have done everything like you have described it, but at the end i run into a wall. Because when i have put the public certificate from the certificate provider into the box and hit save … nothing happend. That is why i have to ask additional questions to make sure that i have done everything right…

lovelysystems.com.key - Is the key that you have created for the csr, am i right ?

lovelysystems.com.crt - Is the certificate that was sent to you for csr from the ssl provider, am i right?

  1. Then you convert the key and the cert into DER format. <-- works for me

  2. Import both via the java.class into a new keystore <-- works for me

  3. Change both passwords from importkey to changeit <-- works for me

  4. Replace the new keystore with the old keystore <-- works for me

  5. Stop/Start Openfire <-- works for me, no corrupted keystore fault meld will be shown

  6. SSL Certificate show that the Cert have to be validated

  7. Try to load the text from my wildcard cert (what is lovelysystems.com.crt for you). <— does not work

Any ideas what i am doing wrong?

Thank you for your help in advance !!! :slight_smile:

Best Regards


What doesn’t work in step 7? I don’t even understand what step 7 is telling you to do.

Hi David,

step 7 is for me what Dion has described with:

" Last step no here is that I had to then go to the interface and go to the certificates screen and submit the public certificate in the box and hit save." - See screenshot in attachment as well.

But if i try to take the wildcard cert and put into the box and hit save, nothing happens. That is why i am asking if i am using the rights certs. Because as far as i understand he uses both time the wildcard cert. First time to merge it with the key in the java program and second time when he tries to validate it in the certificates screen.

Don’t understand why you would need to do that - You already built the key store with both the key and certificate, before you added the Intermediate CA.

Do you have issues with the keystore if you only get to step 6 and don’t do anything else? That is pretty much what we do. I don’t even touch the certificate page in the admin console - It’s all from the command line.

I have the problem that the status is not “ca signed” it is still “pending varification”. Because of that e.g. Thunderbird Chat do not except a ssl connection and is in a connecting loop.

From what i understand from Dions instructions is that he touched the certificate page. Maybe you can tell me what you have done exactly to get it working :slight_smile:

Best Regards,


I don’t know what ‘ca signed’ or ‘pending verification’ mean - A certificate is either validated through the signer chain, or it isnt. Can you connect to the admin console with openssl s_client or a browser and see if it validates the certificate. instead of using Thunderbird?

I did everything from step 1 to step 5. At that point, connecting to admin console presented the wildcard certificate to me and I verified that the browser validated it. There were no other changes via the admin console to support it.

Hi David,

i solved it by using the instructions from the following page:

The Certificate is now CA signed in Openfire and Thunderbird is connecting without any problems over SSL.

Thank you for your help and your fast response time :slight_smile:

Best Regards,