Import SSL Key and Certificate

Hi,

I got an SSL Key and Certificate from my CA. I have some problems to import them into Openfire 3.3.0.

I got both files in PEM-Format. Because Openfire says there are in bad format, I use only this parts:

-BEGIN RSA PRIVATE KEY

…blabla…

-END RSA PRIVATE KEY

-BEGIN CERTIFICATE

…blabla…

-END CERTIFICATE

I tried the hidden page, mentioned here, to import the files.

https://my-jabber-server.com:9091/import-certificate.jsp

But I get the following:

There was an error one importing private key and signed certificate. Error message: Failed to establish chain from reply

The I tried to import the PEM-Cert form my CA with Java-Keytool:

cd openfire/resources/security

keytool -import -v -trustcacerts -file cert-from-ca.pem -keystore truststore

but this doesn’'t help.

My CA (my university) is not NOT a Top-Level-CA itself. The certificate chain ends at DFN Top Level CA, which is NOT trusted by any of “default” Top-Level-CAs. Maybe this is the problem…

Any ideas?

thanks in advance,

Coolcat

Message was edited by: Coolcat

I had exactly the same problem,

here’'s how to do it.

get the root CA certificate from your CA (your university in that case)

use keytool to import it into $OPENFIRE_HOME/resources/security/truststore

then take you’'re rsa key and certificate to the import-certificate.jsp page and import them.

i still have a message that a certificate is missing but I think that should be solveable…

hope that helps

thanks, I will try it on sunday or so…

if you care to find out,

i don’'t get why i need a *.example.com certificate for the server. my server is jabber.example.com and imho that should be the only entrypoint to the jabber service. all other things are

a) either discovered via dns or

b) iirc wrapped in xml request (e.g. broadcast.openforce.com doesn’'t exist it just describes the service)

here’'s how to do it.

hm, this didn’'t worked for me.

But I found another way:

I will describe here exactly what I have done. Maybe there is a better way and not every detail here is important. Use this guide at your own risk.

Requirements

  • Openfire has to run with Java 1.6 and you have to use the Java 1.6 keytool. I used an JDK 1.6.0_02 from Sun. According to this site an older keytool can not import third party signed certificates correctly.

  • Certificate (jabber-signed.pem) and Key (jabber-private.pem) in PEM format.

  • Certificate chain in PEM format. I got two certificates: DFN-CA (dfn-ca.pem) and RWTH-CA (rwth-ca.pem).

  • ImportKey.java from http://www.agentbob.info/agentbob/79.html

Step by Step

Make a backup form your keystore and truststore files. Make a second copy to work with. (Don’'t work on a running system…) You will find both files in /opt/openfire/resources/security.

Import your certificate chain from top to bottom into your existing truststore:

keytool -importcert -alias dfn-ca -keystore truststore -file dfn-ca.pem
keytool -importcert -alias rwth-ca -keystore truststore -file rwth-ca.pem

convert your key and certificate into DER-Format:

openssl pkcs8 -topk8 -nocrypt -in jabber-private.pem -inform PEM -out jabber-private.der -outform DER
openssl x509 -in jabber-signed.pem -inform PEM -out jabber-signed.der -outform DER

modify ImportKey.java according to following diff-output. This is a program from an untrusted source which works directly with your private key, you should check exactly what it does…use at your own risk.

[coolcat@sempron2800 KeyStore]$ diff ImportKey.java ImportKey_original.java
87c87
<         String keypass = "changeit";
---
>         String keypass = "importkey";
90c90
<         String defaultalias = "private-key";
---
>         String defaultalias = "importkey";
93c93,99
<         String keystorename = "keystore";
---
>         String keystorename = System.getProperty("keystore");
>
>         if (keystorename == null)
>             keystorename = System.getProperty("user.home")+
>                 System.getProperty("file.separator")+
>                 "keystore.ImportKey"; // especially this ;-)
> compile the class with java 1.6:

javac ImportKey.java

create a *new keystore file* in current working directory, which contains your private key:

java ImportKey jabber-private.der jabber-signed.der

copy keystore and truststore file back to +/opt/openfire/resources/security+ and restart your openfire server. On +Server Certificates+ page in adminconsole the new key is shown as +Pending Verification+, so I tried to import my certificate into the truststore, but this seems not to change anything.

keytool -importcert -alias jabber-cert -keystore truststore -file jabber-signed-short.pem

+jabber-signed-short.pem+ is the plain certificate, just this part:

-BEGIN CERTIFICATE

/* … */


END CERTIFICATE-----

Finally I ignored the Pending Verification, because it worked.

Additionally Server Certificates page says something like “One or more certificates are missing. Click here to generate self-signed certificates.”, i I ignored it, too.

I will get an email when someone answers on this thread, so ask your questions here, also if this thread grows older. I hope this will help someone.

Coolcat

Message was edited by: Coolcat

Here is what worked for me, after a week of racking my brain on this issue. My certs were generated using openssl version 0.9.8b and my certs were signed by Digital Signature Trust.

  1. Convert your private key to DER format

openssl pkcs8 -topk8 -nocrypt -in jabber.key -inform PEM -out jabber.key.der -outform DER

  1. Convert your cert and root cert(Digital Signature Trust root certs) and/or intermediate cert into DER format

openssl x509 -in jabber.crt -inform PEM -out jabber.crt.der -outform DER

openssl x509 -in roots.crt -inform PEM -out roots.crt.der -outform DER

  1. cat jabber.crt.der roots.crt.der > jabber.der

Now I used the keystore file from the original install from /opt/openfire/resources/security with JDK 1.6.0_02 and a program similair to AgentBob, which is from an ex employee where I work.

java KeyStoreImport /opt/openfire/resources/security/keystore jabber.der jabber.key.der jabber.imsa.edu

This imported and now showed it was signed and not in a pending status. Please let me know if you want me to post the KeyStoreImport java file and class I used.

thanks.

  1. cat jabber.crt.der roots.crt.der > jabber.der

I think thats the trick, I will try it when I find some time…

tlj,

Could you please post your KeyStoreImport.java file here? Just copy&paste it to your reply.

Thanks in advance

Hi All,

I am new to Openfire. I want to configure Openfire to use SSL. For that , I have obtained a SSL certificate from Thwate. But I dont know how to use this certificate from OpenFire admin console. Can you please reply …its urgent.

Thanks in advance