TLS is a tricky beast.
It’s good to know that the certificate manager plugin does not add any functionality, apart from automation. You can manage the content of your stores, without that plugin, in the Openfire admin console under “Server” > “TLS/SSL Certificates”
Openfire uses a set of stores, consisting of:
Identity Store - this holds your private key and certificate (identifies your instance of Openfire)
Trust Store - this holds certificates for CAs that your instance of Openfire will trust (used to verify the certificates that are served by others).
Client Trust Store - (this often is unused/empty) Can hold certificates that are used to perform mutual authentication (eg: when your clients authenticate using a certificate, instead of the more traditional username/password).
Under water, all of these stores are Java keystores (it is fine to modify them directly, using Java tooling, although you might need a restart to see changes pop up - I’m unsure).
By default, Openfire will use the same set of stores for all types of connections. You can, however, define distinct sets of stores for different types of connections. You can do this by clicking on the link that is under this text on the “Server” > “TLS/SSL Certificates” admin console page:
(…) but Openfire allows you to configure a distinct set of stores for each connection type
- Using different sets for different connection types is not used often - here might be dragons
- It’s unlikely that using different sets for different connection types plays nice with the certificate manager plugin (tha’d be one of the aforementioned dragons).