I can’t do it.
I’ve tried following these guides:
Openfire: SSL Guide
HowTo Wildcard Certificate & OpenFire (Linux Version) (this one)
HOWTO: Import a signed SSL certificate into Openfire
Import SSL certificate in Openfire running on Windows Server 2008
https://alpha-labs.net/2014/12/openfire-and-ciphers/ or https://edit.alpha-labs.net/p/7zD6BfcAld
No matter what I do, when Openfire starts I get the following error in the web config:
Unable to access certificate store. The keystore may be corrupt.
I have triple checked that the password to access the keystore is correct and exists in the server properties. The path is also correct and so are permissions and file ownership. keytool -list -keystore keystore shows only one certificate and it is the one that I want. I’ve tried creating the keystore from the command line, and from the Windows-based KeyStore Explorer. Nothing works.
IMPORTANT EDIT:
The problem is definitely with file names and keystore / certificate passwords. After trying a million different combinations, I finally decided to try the default keystore name of “keystore” in the default location of /usr/share/openfire/resources/security using the default password of “changeit” for *BOTH *the keystore AND the certificate inside.
In summary,
1. Make sure your keystore is named /usr/share/openfire/resources/security/keystore
2. Make sure you check that both your keystore and certificate are using the same default password with the following commands:
$ keytool -storepasswd -keystore keystore
$ keytool -keypasswd -alias "YourCertificateAlias" -keystore keystore
If you don’t know your certificate alias you can view all the certificate aliases using the following command: $ keytool -list -keystore keystore
2A. If you prefer a GUI, it IS possible to view your keystore, the certificate alias names, and change the passwords using Keystore Explorer for Windows. Be sure you change the password for the entire Keystore itself (Tools -> Set Password -> “Set KeyStore Password” Window) AND that you right-click on the individual certificate INSIDE the Keystore (Right-click -> Set Password -> “Set Key Pair Entry Password” Window)
3. Make sure you DO NOT waste time trying to use the following server properties. I could not get them to work after hours of trying various combinations:
xmpp.socket.ssl.keypass
xmpp.socket.ssl.keystore
"Do not use" means delete them completely from Server Manager -> System Properties. If the fields do not exist, openfire automatically uses the defaults.
**
**Additional Notes: After installing my Comodo Wildcard Certificate, the Server Settings -> Server Certificates page shows that my certificate is INCOMPLETE and “Pending Verification”. There is even what appears to be an automatically generated CSR awaiting a response. It seems to me that YOU CAN SAFELY IGNORE THIS. I was scared at first and started checking other threads with similar problems, but when I went ahead and attempted connecting, both https:// access to the web config AND SSL connections via jabber clients WORK FINE. So this seems to be just a bug in the openfire web config.
All of this is on my setup running:
Ubuntu 14.04
Openfire 3.10.2