Issue changing SSL cert Openfire 3.7.0 (Linux)

dweez · September 20, 2011, 4:03pm

Ok, I’ve been banging my head against a wall for about a week now. Our current thawte cert is due to expire soon. We now have our institutional certs trusted through GlobalSign so I’m trying to switch to that cert. I have the key in PEM, the cert in PEM, and the cachain in PEM. I’ve tried using the admin console cert import with no success. I’ve tried different commands with keytool to no success. Any help would be greatly appreciated.

One thing I’ve noticed, when I attempt to import the cachain into a truststore, even though it contains 4 certs, only 1 is imported. With the admin console import, I’ve tried just c/p the key and cert to the proper field and sometimes I get an error. I’ve also tried c/p the key, then the cert, then c/p the cachain to the end of the cert. This doesn’t give me an error but it also doesn’t seem to import the cert.

–dweez

dweez · September 21, 2011, 2:56pm

Well, I have resolved this (in a bit of a round about way). I used Portecle ( http://portecle.sourceforge.net/ ) to combine my key, cert, and ca_chain into a PKCS#12 bundle. I then used keytool on a different box than the Openfire server (because the java version on the Openfire server is older and doesn’t have the new switches) to import the PKCS#12 into a JKS. Openfire then happily accepted it.

While troubleshooting this, one of my co-workers asked if there was anyway to have Openfire just use PKCS#12 files instead of JKS. I noticed this thread, “Openfire SSL configuration with PKCS12 unecessarily painful” ( http://community.igniterealtime.org/thread/43087 ) but was just curious if there was a less “painful” method.