How to sucessfully import an existing StartSSL Cert & Key (Linux)

Notes: Openfire v3.7.1, Java 1.6, RHEL 6, StartSSL Class2 Signed Cert

The following are command line instructions for importing an existing SIGNED certificate and KEY to OpenFire.

1.) Stop Openfire.

2.) Merge your your root CA with your existing certificate:

cat example.com.cert startssl.class2.ca > example.com.TempCert

3.) Convert your existing Private Key and new merged certificate to the pkcs12 format.

(This step requires you create a password, I am going to use the default password for simplicity. “changeit”)

openssl pkcs12 -export -in example.com.TempCert -inkey example.com.private -out example.com.pkcs12 -name example.com

4.) Merge your private key and cert to OpenFire’s private Keystore.

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /opt/openfire/resources/security/keystore -srckeystore example.com.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -alias example.com

5.) Start OpenFire

Figuring this out took me forever. I hope it helps some one else too!

4 Likes

I really need to buy you a beer… I’ve been working on this for 8 hours today following old how-to’s (which worked two years ago, but not this time.)

Your solution worked, it was quick and painless. Thank you so much for the work you put in. I’m going to spend some time soon updating all the old posts that contain how-tos pointing them to your post.

Admins - Any chance we can sticky this? It will save many people, a whole lot of time. Thanks for considering.

Regards,
Daniel

PS - I’m serious about the beer.

Hi and first a big thanks for sharing your solution.

I finally start to think that I’m to dumb for this

If I follow your guide step-by-step (and after the final restart of openfire) I get the message (inside the admin panel), that my keystore is corrupt.

As you are using class2 certificates, don’t you have to import the class2-intermediate certificate?

I would really apreciate if you could push me into the right direction.

My setup: Openfire v3.7.1, Java 1.6, Ubuntu 10.04 (x64), StartSSL Class2 Signed Cert

Thanks

Regards

Thomas

P.S: I found out, that now (after the tries), after every server-restart, I have to recreate a set of selfsigned certs, as I get the error, that the keystore is corrupt.

The exact message:

Unable to access certificate store. The keystore may be corrupt.

UPDATE & SOLUTION:

This was only a permission issue. Was “easy” to handle after getting my head clear

…another beer from me

Thanks for this; it was very helpful! I used the same process to import also the DSA key.

One typo correction that is significant:

cat example.com.cert startssl.class2.ca > example.com.TempCert

should probably be:

cat example.com.cert startssl.class2.ca >> example.com.TempCert

–

Here are links to couple of other resources that were useful in this process:

Conversions between different SSL key formats

Openfire and SSL/TLS Certificates

Securing Openfire Clients

It work!

Realy many many thanx!

Hello!

I’m new in this community and I’m glad to be here. I would like to say thanks for the solution. It really help us. Thanks!


Check out how to sync Droid with computer to learn more.

Hi there again

It’s been a long time now but as I had to move my Openfire-Server to a new host (with new dns-names), so I had to re-do the whole process. I was really happy to know that somewhere here in the forum was the guide/howto.

This time I thought I’ll do it a little bit different.

I’ve created the keystore directly from my PKCS12-File (.p12 or .pfx) this way:

keytool -importkeystore -srckeystore MyFile.p12 -srcstoretype pkcs12 -srcalias “My Certificate Alias” -destkeystore keystore -deststoretype JKS -destalias “My desired Certificate Alias”

then I added the required “StartCom Class 2 Primary Intermediate Server CA” to the truststore:

keytool -import -file StartCom_Class_2_Primary_Intermediate_Server_CA.crt -alias “StartCom Class 2 Primary Intermediate Server CA” -keystore truststore -destalias “startcom.ca.sub.class2”

and finally (just to be sure that I’ve got the whole chain in my truststore) I’ve added/re-added the “StartCom Certification Authority”:

keytool -import -file StartCom_Certification_Authority.crt -alias “StartCom Certification Authority” -keystore truststore

After moving this files at it’s place I’ve restarted the openfire service and logged into the admin-panel. In the certificates-section it shows up my “new” certificate but with the status “verification pending”.

Herefor I copied the server-certificate from startssl and pasted it into the apropriate field on the certificates-page.

After saving this changes now the used certificate shows up as “CA Signed”

This way I just wanted to share my experience with you.

Regards,

Thomas

1 Like

Thomas,

Your walkthrough worked, after several unsuccessful atempts with others.

I used our domain CA’s to generate and sign the certificate, and then use the PKCS10 file to generate a new keystore.

Thanks a bunch!

Bruno

I need to add my private key in here somewhere but not sure how, do I need to replace “example.com.private” in the line below? When I try I get error “unable to load private key”. How did you get this part to work, can you help?

From guide:

3.) Convert your existing Private Key and new merged certificate to the pkcs12 format.

(This step requires you create a password, I am going to use the default password for simplicity. “changeit”)

openssl pkcs12 -export -in example.com.TempCert -inkey example.com.private -out example.com.pkcs12 -name example.com

**Thanks!
**

Hi,

yes, the example-part should be replaced with your specific file-infos.

openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.pem -name my_name -out final_result.p12

your_private_key.key = Private key filename

your_certificate.pem = Certificate filename*
*

Then this should work.

Regards,

Thomas

P.S: you have to be sure, that both are encoded the same way (PEM or DER).

Thanks for that Thomas, much appreciated.

However, the existing/importing certificate in point 2 is a “.cert” file but you suggest it needs to be a PEM or DER file? Which is it, or am I misunderstanding?

2.) Merge your your root CA with your existing certificate:

cat example.com.cert startssl.class2.ca > example.com.TempCert

PS. Our root CA is globalsign and our certificate is a .pfx file.

Hello again,

as an “easy check” you could open this cert-file. If there is something like (human readable stuff inside):

-----BEGIN CERTIFICATE-----

base64-encoded data

-----END CERTIFICATE-----

then you have a PEM encoded file. Otherwise it should be DER-encoded (non-human readable stuff inside).

I think, what you’ve meant with “is a “.cert” file” is only about the file-extension (could even be .crt - depending on your file-association).

You have a pfx-file (PKCS12) which means that inside this file there is stored your private key togheter with your signed certificate.

As you have a certificate from GlobalSign, you have to use their Root-CA-Certificates. Honestly I’d never used GlobalSign personally, so I don’t know if you also have to provide an intermediate certificate. What I could find on the fly was this posting from GlobalSign:

https://support.globalsign.com/customer/portal/articles/1217617

On this site you’ll find their Root-Certificate (you have to copy the whole text including —BEGIN CERTIFICATE… till END CERTIFICATE—) and save it to a new file and call it (the name doesn’t matter) i.e. globalsign-root-ca.crt (or .pem or .cert) - as this is PEM-encoded.

But AFAIK you should use the IMHO easier way described in my posting from the 10.10.2013 (posting below). You could create your keystore directly from your pfx-file.

Let me know if it worked

Regards,

Thomas

Thanks Thomas, may be a silly question, do all the keystore/truststore commands need to be run from the /etc/openfire/security directory?

Hello,

there are no silly questions - just silly answers

Those commands can be executed from everywhere on the system. But if you run them from the same directory where your files are stored you don’t have to specify additional paths.

i.e.

you are in your home directory and the files (certificate and private key) are stored under /etc/ssl/certs/ and the output of the ssl-command should even be stored there, then you would run the command as follows:

openssl pkcs12 -export -inkey /etc/ssl/certs/your_private_key.key -in /etc/ssl/certs/your_certificate.pem -name my_name -out /etc/ssl/certs/final_result.p12

After this you have to move your file/s where you need them.

in my examples I usually run them from the same folder, but as you can see this isn’t neccessary

Regards,

Thomas

1 Like

Hi

I followed the steps, i just ran the commands from the same directory as the files

I created the truststore using the .pfx (I think) and added the intermediate cert and global root CA cert into the truststore (how do I check they added successfully?)

Problem, when I restart the openfire service and go into certficiates, I can’t see my new certififcates listed!

When I attempt to import my certificate into the appropriate fields it fails with the below error:

“There was an error one importing private key and signed certificate. Error message: Failed to establish chain from reply.”

Hi,

to check the content of a keytore/truststore you can use the following command:

keytool -list -v -keystore your_filename_here

you will be asked for the password for this truststore/keystore.

Just to clarify (perhaps it was only a typo, but from the PFX file you have to create your keystore and not the truststore. This are two different files.

In the truststore you’ll find a list of CA’s and/or intermediate CA’s.

The keystore is the “important part” as it contains your private key (for your certificate) and this is the only thing of value as the certificate/s itself could/should be public.

Keystore: Create it from your P12 or PFX file.

Truststore: Herein you should import the GlobalSign Root and intermediate certificates

Let me know if this helped you

Regards,

Thomas

P.S: you would use the same command for checking the content of truststores too even if in the commant you type “-keystore”

keytool -list -v -keystore your_filename_here

Thanks Thomas, that was a typo…

For the .pfx import I get an alias error:

Command: sudo keytool -importkeystore -srckeystore file.pfx -srcstoretype pkcs12 -srcalias “happy” -destkeystore keystore -deststoretype JKS -destalias “very happy”

Error: keytool error: java.lang.Exception: Alias does not exist

I have since ran the command without adding asrcalias or destalias and it went through but no certificates are appearing in Openfire…Do i need to add an alias or change something here?

I’ve added the intermediate and global CA’s to the truststore successfully using the import commands in your guide, I ran them again just to be sure and it states that the certs have already been added "certificate already exists in keystore (why does it state “keystore” and not truststore, confusing). So I assume this part is complete.

Just can’t create the keystore from my .pfx

You have been a massive help on this (so far)!!

Hello,

this error message tells “only” that the source alias wasn’t correct. To get the Aliasname from the PFX or P12 file you could launch the following command:

keytool -list -keystore Your_filename_here.p12 -storetype pkcs12

This should output something like (it would ask you for the PFX/P12-file passphrase even if there is no passphrase set - in this case just confirm with by pressing ENTER):

Keystore-Typ: PKCS12

Keystore-Provider: SunJSSE

Keystore contains 1 entry

*THE ALIAS STANDS HERE, 17.10.2013, PrivateKeyEntry, *

Certificate-Fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XXX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

The Alias would be usefull if you have more certificates, just to keep an overview over the contained certificates. If the Alias contains spaces or special chars you should set it in quotation-marks “”.

keytool -importkeystore -srckeystore MyFile.p12 -srcstoretype pkcs12 -srcalias “My Certificate Alias” -destkeystore keystore -deststoretype JKS -destalias “My desired Certificate Alias”

keystore here stands for the filename under which the keystore should be created; i.e:

keytool -importkeystore -srckeystore MyFile.p12 -srcstoretype pkcs12 -srcalias “My Certificate Alias” -destkeystore Your_Desired_Keystore_Name_here -deststoretype JKS -destalias “My desired Certificate Alias”

After running the conversion (taking my example) you should have a file called “keystore” or “Your_Desired_Keystore_Name_here”. Could you verifiy this?

If this file was created you could even check it’s content with:

*keytool -list -v -keystore keystore *OR *keytool -list -v -keystore *Your_Desired_Keystore_Name_here

If till here everything looks good, you should check the file-permissions of the keystore and truststore.

I did it this way (under Linux):

chown openfire:openfire your_keystore_filename && chown openfire:openfire your_truststore_filename

openfire in this case is the username of the user running the openfire-service*
*

chmod 640 your_keystore_filename && chmod 640 your_truststore_filename

The content of the security-directory (/etc/openfire/security/) should look something like this:

-rw-r----- 1 openfire openfire keystore

-rw-r----- 1 openfire openfire truststore

Glad to hear that I could help (until here ), so lets try to complete this task

Regards,

Thomas

P.S: Sorry, the translation in the output-example could not be 100% appropriate as the output of my engine is in german and I just tried to translate it

Thanks Thomas, I have left the alias out as we only have the one certificate so it shouldn’t confuse things. Your explaination on this has been excellent btw.

I have created a new “keystore” and “truststore” (called “keystore” and “truststore”) in a temp directory, so I assume if I stop the openfire service and then replace the old keystore and truststore files in /etc/openfire/security/ with these newly created files it should work (if the permissions are set as you have stated above)?

I have checked both the keystore and and trustore files using *keytool -list -v -keystore keystore OR keytool -list -v -keystore truststore *and it looks like both have the correct cert content!! *
*

Hello again,

I have created a new “keystore” and “truststore” (called “keystore” and “truststore”) in a temp directory, so I assume if I stop the openfire service and then replace the old keystore and truststore files in /etc/openfire/security/ with these newly created files it should work (if the permissions are set as you have stated above)?

This should be correct.

One thing I didn’t mention yet: did you save your keystore/truststore with a password? The default keystore/truststore password should be “changeit”. If you created a new one (with another password) you have to provide this password to openfire as it must have access to it. You could find some needfull information here: http://community.igniterealtime.org/docs/DOC-2208

The Point “Optional Setup Options” may be interesting for you.

@Patrick Frye wrote:

Browse to your Openfire server at http://yourserver:9090

Under “Server Manager”, select “System Properties”

Add/edit the following properties with the following values:

Property Name – Property Value
xmpp.socket.ssl.active – true
xmpp.socket.ssl.port – 5223
xmpp.socket.ssl.storeType – JKS
xmpp.socket.ssl.keystore – resources/security/keystore
xmpp.socket.ssl.keypass – changeit
xmpp.socket.ssl.truststore – resources/security/truststore
xmpp.socket.ssl.trustpass – changeit

Otherwise you could recreate them with the default password OR convert the actual stores in order to require the default password (changeit).

To convert your existing one (without password protection or protected by another password) you could use this command:

keytool -storepasswd -new Your_new_storepassword -keystore Your_key-_or_truststore_filename_here

Backup your actual stores first (just to be assured)

We’re getting closer to our target

Good luck and let me know

Regards,

Thomas

1 Like