New feature: Using Windows certificate stores in Openfire!

Openfire 4.4.2 brings a change that can be leveraged for a new kind of integration with Microsoft Windows.

tls

Traditionally, Openfire ships with its own set of certificate stores. These are the repositories that hold various certificates, which are most commonly used to establish encrypted connections.

As of Openfire 4.4.2, you can now configure Openfire to make use of the certificate stores that are part of / managed by Microsoft Windows. Note that doing this currently allows for Openfire to make modifications to these stores! Some might consider this a bug, while others think it’s a feature.

To configure Openfire to make use of the Windows keystores, define these properties:

  • property name: xmpp.socket.ssl.trustStoreType value: Windows-ROOT
  • property name: xmpp.socket.ssl.identityStoreType value: Windows-MY
  • property name: xmpp.socket.ssl.client.trustStoreType value: Windows-ROOT
  • property name: xmpp.socket.ssl.client.identityStoreType value: Windows-MY

As the feature is new, we’d love your feedback and suggestions on this!

3 Likes

So for the ignorant layman such as myself, how do I get Openfire to use a certificate already in my Windows keystore? I have a 3rd party signed certificate already installed in my Windows keystore that matches the server name, but when I set those properties in Openfire and restart, it complains that it couldn’t find any matching certificates. I am unsure how to troubleshoot further.

You should only need the property xmpp.socket.ssl.identityStoreType set to value: Windows-MY I think. I’m unsure how Openfire reacts if there are more certificates I’m the store than it needs. For some versions of Java, it might simply pick a random one, instead of the most appropriate certificate available in the store.

Thanks Guus. It turned out I needed both xmpp.socket.ssl.trustStoreType value: Windows-ROOT and xmpp.socket.ssl.identityStoreType value: Windows-MY and then it worked.

1 Like