Long-lasting free certificate generation by igniterealtime

Whats about make igniterealtime service with generation long-lasting (1…5 years) FREE TLS certificate generation for openfire and over instant messaging community products, that can be used without domain registration. So simple to use, like self-signed.

I don’t understand your question. Are you suggesting IgniteRealtime community to become a CA and issue certificates?

Yes. But only for igniterealtime own products. For simple usage and free of charge purposes only. Certificates without use in the legal purposes, and not requiring from you special attention except an open point of connection on the Internet

There are a lot of legal and technical requirements to be a CA and i don’t think IgniteRealtime (being just a bunch of a few volunteers with limited system resources) is capable of doing such thing.

Also, certificates are not issued for the products, but for domains. And certificates must be trusted worldwide for operating systems and browsers to include them, so your browsers and IM clients won’t have to trust them manually. So CA must be trusted worldwide. Anyway, this is a complicated matter. There are already many paid and a few unpaid options to get certificates or workaround self-signed certificates issues. The only place IgniteRealtime could improve is with importing certificates, as this is the common problem Openfire users face (based on forums posts). But i’m not sure if this is not some sort of Java security store limitation causing the problems.

Aleksey wrote:

Certificates without use in the legal purposes.

Certificates without use in the legal purposes, and not requiring from you special attention except an open point of connection on the Internet

This goes against using certificates in the first place. If your certificates are not trusted, what’s the point in using them? Also, certificates expire (no matter how long lasting they are), every new certificate should be registered and its expiration date should be saved and returned to every request by a browser/client. This number will grow exponentially and will require huge system resources eventually.

you may want to look into letsencrypt.org

It’s not fair to suggest using Let’s Encrypt, when even we (akrherz actually) abstain from using it on our Openfire server here, because it is complicated. One part is the short validity period and the need to somehow automate the renewal. Yeah, there are tools to do this with websites, but Openfire? And there is also some issue with not supporting wildcards or something. At some point it might become a viable option (if they don’t go bankrupt before that as they are burning lots of money on hardware and staff and not sure for how long will they get enough sponsoring). But for now it seems other CAs is a more convenient option.

true…but it meets the free requirement for a valid CA

I can see how the wildcard thing might be a an issue, but it does support SAN, so with a little work, a user might be able to cover everything they need…

I personally haven’t messed with…perhaps I should, and see what happens! I use a comodo wildcard which can be found at a reasonable price of 150 for 3yrs…

We also use Comodo and Rapid wildcard certificates for our websites (2-3 years validity). I was thinking on trying Let’s Encrypt for our internal Openfire server, so there wouldn’t be need to change settings in Spark. But not until there is some easy automation tool.

Yes. Common problem looks like

Where to run with this problem? How many money to pay, for whom and what for? It isn’t necessary for me that the certificate was the official tool for judicial proceedings. Simplify the procedure of obtaining the certificate.

I think you miss the point of a trusted CA and trusted certificate. It’s not for some judicial proceedings. If certificate is not trusted, sure, it will encrypt the traffic, but there is a chance for a man in the middle attack forging the certificate. And as your client agrees to accept untrusted certificate (by an exception), it will also accept the forged certificate without warning a user.

If your Openfire server is on Linux you can use Cron jobs to automate the renewal process. It is a pretty simple process. I used LetsEncrypt and a Cron job renewal when testing a Mail Server that I made.

Have you tried this with Openfire though? Openfire uses Java keystore, so i wonder if it can be automatically updated. Probably can. I have done cert importing for another service based on Java. It involved some files copying and running keytool commands. This can be automated i guess, but i would still worry a bit

No, I have not tried this with Openfire, and I will admit that I am quite new to it so I do not know how everything works yet.