I am trying to import my SSL (wildcard) certificate.
There used to be an option in the WebGUI (Server Settings -> Server Certificates) that would allow you to import the SSL cert.
I upgraded to Openfire v4.3.0 today & that sub-menu is no longer listed.
The Openfire server is running on CentOS 7.
There is now a separate plugin Certificate Manager. Maybe that menu is part of that plugin.
Thanks for the tip, wroot!
I placed my .crt and .key files into the directory that the āCertificate Managerā is designed to check.
/opt/openfire/resources/security/hotdeploy
I also have the option labeled āDelete files from the hot-deploy directory after installationā checked-off. However after restarting the (Certificate Manager) plugin my 2 files (still) remain in-tact within this directory.
Also, I donāt think I WANT to add my SSL cert to the āOpenfire identity storeā.
I just want to assign the certificate to the HTTPS service, so when I navigate to https://hostname.domain.com:9091, the web browser will not display a message saying āuntrusted siteā.
Iām not familiar with what types of certificates files should be put in that folder. Maybe you should ask in chat on this site (Guus was the author of this plugin). Openfire uses the same certificate for HTTPS and encrypting clients connections (TLS), so i think it should be imported to the store.
TLS is a tricky beast.
Itās good to know that the certificate manager plugin does not add any functionality, apart from automation. You can manage the content of your stores, without that plugin, in the Openfire admin console under āServerā > āTLS/SSL Certificatesā
Openfire uses a set of stores, consisting of:
Under water, all of these stores are Java keystores (it is fine to modify them directly, using Java tooling, although you might need a restart to see changes pop up - Iām unsure).
By default, Openfire will use the same set of stores for all types of connections. You can, however, define distinct sets of stores for different types of connections. You can do this by clicking on the link that is under this text on the āServerā > āTLS/SSL Certificatesā admin console page:
(ā¦) but Openfire allows you to configure a distinct set of stores for each connection type
Caveats:
Also, the user running openfire needs to have access to the certificates in the hotdeploy directory. For me (also CentOS7), thatās daemon.
Previously, we had to delete the previous (to be replaced) cert from the keystore via ākeytool -delete ā¦ā, but I donāt know if thatās necessary now.
If you have good results replacing an existing certificate using hotdeploy alone, Iād appreciate some confirmation.
This is exactly what I needed in order to get me on the right track. Thanks guss!!
I (tried to) automate this with an LE cert:
Delete old certificate (not sure if this is necessary): /opt/openfire/jre/bin/keytool -delete -alias -keystore /opt/openfire/resources/security/keystore -storepass
Copy certs to /opt/openfire/resources/security/hotdeploy
chown daemon:daemon /opt/openfire/resources/security/hotdeploy/*.pem; sleep 10; systemctl restart openfire
The certificates usually get sucked up immediately after chown daemon:daemon.
systemctl restart openfire
That defeats the purpose of āhot-deployingā!
Note that in the upcoming 1.2.0 release of the certificate manager plugin, useful new features are added, including more robust detection of new certificate files, as well as backups.
It does!
In my case, Iām more utilizing the hot-deploy as a means to automate deployment of the updated certs.
Is there a better way to restart the webserver to utilize the new cert?
Your solution worked for me.
the only change is chown openfire:openfire
Thank you
