I placed my .crt and .key files into the directory that the āCertificate Managerā is designed to check.
/opt/openfire/resources/security/hotdeploy
I also have the option labeled āDelete files from the hot-deploy directory after installationā checked-off. However after restarting the (Certificate Manager) plugin my 2 files (still) remain in-tact within this directory.
Also, I donāt think I WANT to add my SSL cert to the āOpenfire identity storeā.
I just want to assign the certificate to the HTTPS service, so when I navigate to https://hostname.domain.com:9091, the web browser will not display a message saying āuntrusted siteā.
Iām not familiar with what types of certificates files should be put in that folder. Maybe you should ask in chat on this site (Guus was the author of this plugin). Openfire uses the same certificate for HTTPS and encrypting clients connections (TLS), so i think it should be imported to the store.
Itās good to know that the certificate manager plugin does not add any functionality, apart from automation. You can manage the content of your stores, without that plugin, in the Openfire admin console under āServerā > āTLS/SSL Certificatesā
Openfire uses a set of stores, consisting of:
Identity Store - this holds your private key and certificate (identifies your instance of Openfire)
Trust Store - this holds certificates for CAs that your instance of Openfire will trust (used to verify the certificates that are served by others).
Client Trust Store - (this often is unused/empty) Can hold certificates that are used to perform mutual authentication (eg: when your clients authenticate using a certificate, instead of the more traditional username/password).
Under water, all of these stores are Java keystores (it is fine to modify them directly, using Java tooling, although you might need a restart to see changes pop up - Iām unsure).
By default, Openfire will use the same set of stores for all types of connections. You can, however, define distinct sets of stores for different types of connections. You can do this by clicking on the link that is under this text on the āServerā > āTLS/SSL Certificatesā admin console page:
Using different sets for different connection types is not used often - here might be dragons
Itās unlikely that using different sets for different connection types plays nice with the certificate manager plugin (thaād be one of the aforementioned dragons).
Also, the user running openfire needs to have access to the certificates in the hotdeploy directory. For me (also CentOS7), thatās daemon.
Previously, we had to delete the previous (to be replaced) cert from the keystore via ākeytool -delete ā¦ā, but I donāt know if thatās necessary now.
If you have good results replacing an existing certificate using hotdeploy alone, Iād appreciate some confirmation.
Delete old certificate (not sure if this is necessary): /opt/openfire/jre/bin/keytool -delete -alias -keystore /opt/openfire/resources/security/keystore -storepass
Copy certs to /opt/openfire/resources/security/hotdeploy
Note that in the upcoming 1.2.0 release of the certificate manager plugin, useful new features are added, including more robust detection of new certificate files, as well as backups.