powered by Jive Software

Importing certificates into wildfire

Hello,

1)[/b] The instructions for setting up wildfire uses the keytool program to create a self signed certificate for my server and put it into the “keystore” file. E.g.:

keytool -genkey -keystore keystore -alias example.com[/b]

2)[/b] It then goes on to show you how to create a Certificate Signing Request (CSR) file to send to the Certificat Authority (CA organizations such as Verisign) for signing:

keytool -certreq -keystore keystore -alias example.com -file certificate_file[/b]

3)[/b] Once you get the signed cerfificate back from the CA, you import it into your wildfire “keystore” file as follows:

keytool -import -keystore keystore -alias example.com -file signed_certificate_file[/b]

The signed certificate or the original self signed certificate is what I need for the admin screen which should look something like:


BEGIN CERTIFICATE-----

MIID6DCCA1GgA0IBAgIBADANBgkqhkiG9w0BAQQFADCBrzELMAkGA1UEBhMCVVMx

ETAPBgNVBAgTCE1hcnlsYW5kMRUwEwYDVQQHEwxHYWl0aGVyc2J1cmcxHzAdBgNV

BAoTFkRlcGFy221lbnQgb2YgQ29tbWVyY2UxNzA1BgNVBAsTLk5hdGlvbmFsIElu

c3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hub2xvZ3kxHDAaBgNVBAMTE3Nl

dXJhdC5jYnQubmlzdC5nb3YwHhcNMDYwMjE2MjIzNjEwWhcNMjYwMjExMjIzNjEw

WjCBrzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRUwEwYDVQQHEwxH

YWl0aGVyc2J1cmcxHzAdBgNVBAoTFkRlcGFydG1lbnQgb2YgQ29tbWVyY2UxNzA1

BgNVBAsTLk5hdGlvbmFsIEluc3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hu

b2xvZ3kxHDAaBgNVBAMTE3NldXJhdC5jYnQubmlzdC5nb3YwgZ8wDQYJKoZIhvcN

AQEBBQADgY0AMIGJAoGBANiWCdCIN3VaD71yrDhFBu6rRjgWznkCI1rLgp4LhNl7

Tou+bieglMsEEgrSt3u7e61wc0dEYRcPW6OBegp21Jx4Uen38pJmZRrMGQfrKZWx

nzU631K4NzXqep6jB0wGxP1VHRcYvzDmlAIk9Tvi2HrYNlmIeACLSJ9xPnX4t7FX

AgMBAAGjggEQMIIBDDAdBgNVHQ4EFgQUyVSnC9Ek9Eak79yFA9FDDk+Gpp4wgdwG

A1UdIwSB1DCB0YAUyVSnC9Ek9Eak79yFA9FDDk+Gpp6hgbWkgbIwga8xCzAJBgNV

BAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEVMBMGA1UEBxMMR2FpdGhlcnNidXJn

MR8wHQYDVQQKExZEZXBhcnRtZW50IG9mIENvbW1lcmNlMTcwNQYDVQQLEy5OYXRp

b25hbCBJbnN0aXR1dGUgb2YgU3RhbmRhcmRzIGFTZCBUZWNobm9sb2d5MRwwGgYD

VQQDExNzZXVyYXQuY2J0Lm5pc3QuZ292ggEAMGwGA1UdEwQFMAMBAf8wDQYJKoZI

hvcNAQEEBQADgYEAY2gVTlKjFyCGa40vhr3HBcdEpRXrmvZqNJBDeGfDhJeNyx

OpSz2LK0jex1bWUmYswiQF52rI2pmj9bHRWRqzHqxEdP0lXEOFsE0QAQ2I+mZaZ/

PRmy63bw5vSVUcfAcXV7+eHcj12vDqsOETfNOW5GP3C8NsRaB43XJClzg7U=


END CERTIFICATE-----

In the admin console “Server->Security Settings”, in the “Certificate” box, it says:

Paste in the certificate sent to you by the CA or the self-signed certificate generated via the keytool.[/b]

Since I don’‘t need an offcially signed certificate from a Certificate Authority, does anyone know how to extract wildfire’‘s self-signed server certificate from the “keystore” file that lives in directory “resources/security” (i.e. the one created from step 1 above) so that I can copy its content (such as shown above) and import it into another wildfire server’'s admin screen?

I’‘m thinking that this is how wildfire do “client certificate verification” - i.e. when a client connects, wildfire requests the client’'s certificate and compares it with its “truststore” file before authorizing connectivity - is this correct?

avinh

You should have searched the forum with the word ‘‘self-signed’’ I hope this thread has the answer.

http://www.jivesoftware.org/community/thread.jspa?threadID=16804&tstart=0

Regards,

wmhtet

avinh

You should have searched the forum with the word

‘‘self-signed’’ I hope this thread has the answer.

http://www.jivesoftware.org/community/thread.jspa?thre

adID=16804&tstart=0

Regards,

wmhtet

Hi wmhtet, thanks for the reference - nice writeup by the way…

I did what you’‘ve posted to get to the “text” version of my server’'s certificate that is in between the string “–-BEGIN CERTIFICATE-” and “-END CERTIFICATE—”

I copied the certificate information into wildfire’'s “Server->Security Settings” for the “Certificate” field and tried to install it as a “Server Certificate” as well as a “Client Certificate” but again both had the same error - i.e. “Error installing the certificate.”

Have you tried to install a certificate into wildfire before? What am I doing wrong?

Thanks - Alan

Alan

You might consider this also.

http://www.jivesoftware.org/community/thread.jspa?threadID=17387&tstart=0

Did you change keystore password? You shouldn’'t.

Regards,

wmhtet

Thanks for your help…

This is what I’'ve found that works:

When originally setting up the keystore for your wildfire server, use the following command to store a certificate into the resources/security/keystore file (the validity flag is for the number of days, i.e. 7300 days = ~20 years):[/b]

keytool -genkey -validity 7300 -keystore keystore -alias my.server.domain

Use the following command to export the certificate from the keystore file:[/b]

keytool -export -alias my.server.domain -keystore keystore -file myserver_exported.crt

To import another certificate into the keystore, use the following command:[/b]

keytool -import -keystore keystore -alias my.other.server.domain -file my_other_server_exported.crt

Reboot the wildfire server, then go into the admin console under “Server->Security Settings” and you’'ll see that both certificates have been installed.

not even helpful points to the thread I have posted?

not even helpful points to the thread I have posted?

Your posts did help, the following command came from your first reference:

keytool -export -alias my.server.domain -keystore keystore -file myserver_exported.crt[/b]

Thanks

Avinh,

Did you ever figure-out how to do jabber client side certificate based authentication?

Which jabber client’'s support this?

Thanks.

Peace.

Jason