powered by Jive Software

HowTo Wildcard Certificate & OpenFire (Linux Version)

So, you´ve got a wildcard Certificate and Openfire says “no way dude”?

Here is my HowTo for it.

I´ve got my *.domain.com certificate from commodo, so it is possible, that your certificates look a little different, but have the same purposes.

Let´s begin:

After you got your certificates, look for this three in special:

certificate.crt, intermediate1.crt, intermediate2.crt, root.crt

You need your private key file too.

mykey.key

Log into your Linux and make a temporary folder:

mkdir tmp && cd tmp

Copy all the above files in that directory

Chain all the certificates into one one file

cat certificate.crt intermediate1.crt intermediate2.crt root.crt > cert_bundle.pem

Now we got all certs in one file, but we need to line-split them.

vi cert_bundle.pem

Look for something like that: “-----END CERTIFICATE----------BEGIN CERTIFICATE-----”

Now split them, so “-----BEGIN CERTIFICATE-----” is at the beginning of the next line. Repeat that for the further.

When you are done, we need to create a pkcs12 file. Don´t use a password.

openssl pkcs12 -``export -name yourserver.domain.com -``in cert_bundle.pem -inkey mykey.key -out keystore.p12

Now we use the keytool to create a new keystore, remember your password.

keytool -importkeystore -destkeystore keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -``alias yourserver.domain.com

Copy the keystore to your openfire directory

cp keystore /opt/openfire/.

Now we have everything in place and need to tell Openfire where to look. Change to your favorite webbrowser and log into your OpenFire Web-Console.

At Server Properties create a new Entry:

Property Name: xmpp.socket.ssl.keypass

With your Keystore Password as propertie Value.

Then get another new Entry:

Property Name: xmpp.socket.ssl.keystore

With the location of your keystore in Property Value. The rootdirectory is your openfire directory. If your keystorefile is in “/opt/openfire/keystoredir/keystore” you need “keystoredir/keystore”

At last tell openfire what storetype you are using.

Create a new Entry:

Property Name: xmpp.socket.ssl.storeType

With Property Value: JKS

Restart your server and all is good. If all is not good, I will try to help as much as I can.

Sorry for my english

1 Like

I can’t do it.

I’ve tried following these guides:

Openfire: SSL Guide

HowTo Wildcard Certificate & OpenFire (Linux Version) (this one)

HOWTO: Import a signed SSL certificate into Openfire

Import SSL certificate in Openfire running on Windows Server 2008

https://alpha-labs.net/2014/12/openfire-and-ciphers/ or https://edit.alpha-labs.net/p/7zD6BfcAld

No matter what I do, when Openfire starts I get the following error in the web config:

Unable to access certificate store. The keystore may be corrupt.

I have triple checked that the password to access the keystore is correct and exists in the server properties. The path is also correct and so are permissions and file ownership. keytool -list -keystore keystore shows only one certificate and it is the one that I want. I’ve tried creating the keystore from the command line, and from the Windows-based KeyStore Explorer. Nothing works.

IMPORTANT EDIT:

The problem is definitely with file names and keystore / certificate passwords. After trying a million different combinations, I finally decided to try the default keystore name of “keystore” in the default location of /usr/share/openfire/resources/security using the default password of “changeit” for *BOTH *the keystore AND the certificate inside.

In summary,

1. Make sure your keystore is named /usr/share/openfire/resources/security/keystore

2. Make sure you check that both your keystore and certificate are using the same default password with the following commands:

 $ keytool -storepasswd -keystore keystore

 $ keytool -keypasswd -alias "YourCertificateAlias" -keystore keystore

If you don’t know your certificate alias you can view all the certificate aliases using the following command: $ keytool -list -keystore keystore

2A. If you prefer a GUI, it IS possible to view your keystore, the certificate alias names, and change the passwords using Keystore Explorer for Windows. Be sure you change the password for the entire Keystore itself (Tools -> Set Password -> “Set KeyStore Password” Window) AND that you right-click on the individual certificate INSIDE the Keystore (Right-click -> Set Password -> “Set Key Pair Entry Password” Window)

3. Make sure you DO NOT waste time trying to use the following server properties. I could not get them to work after hours of trying various combinations:

 xmpp.socket.ssl.keypass

 xmpp.socket.ssl.keystore

 "Do not use" means delete them completely from Server Manager -> System Properties.  If the fields do not exist, openfire automatically uses the defaults.

**

**Additional Notes: After installing my Comodo Wildcard Certificate, the Server Settings -> Server Certificates page shows that my certificate is INCOMPLETE and “Pending Verification”. There is even what appears to be an automatically generated CSR awaiting a response. It seems to me that YOU CAN SAFELY IGNORE THIS. I was scared at first and started checking other threads with similar problems, but when I went ahead and attempted connecting, both https:// access to the web config AND SSL connections via jabber clients WORK FINE. So this seems to be just a bug in the openfire web config.

All of this is on my setup running:

Ubuntu 14.04

Openfire 3.10.2

1 Like

Hi Daniel,

the Pending Verification is because openfire can not identify your servername on the issued certificate. That is common, because you got *.domain.com or something like that.

I got it working with this step:

openssl pkcs12 -``export -name yourserver.domain.com -``in cert_bundle.pem -inkey mykey.key -out keystore.p12

Yes, you can ignore that, but then you have certification errors when you log in. In my case this is not acceptable, because we use it to communicate with partners and that just looks ugly.

I assume you got it working now?

Nope. My server still shows Pending Verification. But it seems to “work” anyway.

  1. I can connect to the web config with https:// and I get no warning about the certificate, and the security lock shows as green. I tried in Chrome Windows (green), Chrome and Safari OSX (green), Firefox OSX (not green, but it did show a lock and indicated the site was secure when I clicked on the lock), and even Chrome for iPhone.
  2. I can connect from OS X Messages.app to the jabber server using SSL and get no warnings (I used to get warnings before when I was using a self-signed certificate).

The strange thing is that http://www.xmpp.net seems to agree with you and says my server has an untrusted certificate.

I just tried recreating the keystore to make the -name field match the server address (chat.mydomain.com), but it made no difference. Server settings -> Server certificates still shows Pending Verification.

Host (alias) shows *.mydomain.com (chat.mydomain.com)

Something very strange happened over the last 18 hours. I started getting certificate errors. Both OS X messages.app and Google Chrome (accessing the https:// web admin site) were complaining about my certificate. Then, just as suddenly as the problem popped up, it is now gone. I didn’t change anything with the Openfire server or the certificate during that time. Additionally, I inspected the certificate in Google Chrome, and it was showing correctly as a valid (unexpired) wildcard certificate from Comodo for *.mydomain.com, but Chrome was giving me a red slash through my https:// and warning me about the dangers of accessing the site.

Weird.

Thanks Yukiru,

Your solution worked form me except in 2 parts:

1: I had to add “xmpp.socket.ssl.active” with value “true” to system properties.

2: I still have “Pending Verification” with signing request even though i used "openssl pkcs12 -``export -name yourserver.domain.com -``in cert_bundle.pem -inkey mykey.key -out keystore.p12".

Can you help me with Pending Verification issue?

I know this is an old thread, but Daniel’s first large post above got this to work for me on 4.04. Thank you much.