Ok, i’‘ve read through the support forum as much as I can, and there doesn’‘t seem to be an answer for my problem. I am with an organization that gets its SSL certificates through Thawte. According to Thawte’'s web site:
“We also no longer support the DSA algorithm for Java code signing certificates. Instructions for creating an RSA signed request can be found in the “Getting Ready for Codesigning” section below.”
I am unable to get a cert from anywhere else – its our contract/policy, and I have to live with it. I have seen repeated questions on the forum about how to use Wildfire without a DSA (or RSA) cert, and the answer is always, “You need both…”
I really want to roll this out for our company. I know that some clients expect DSA, but I don’‘t care – I have the luxury of demanding that users use clients that will work, and they will have to deal with that. I really don’‘t want this to be the reason that I can’‘t use wildfire! It’'s a beautiful product, and the best available that I have been able to find!
Is there a way to coerce wildfire into not failing when it doesn’'t have a DSA key?
You don’‘t NEED to get your SSL certs signed by a signing authority to get them to work in wildfire. It’‘s nice (and probably recommended by piles of people), but it’'s not require for functionality. You should be able to make a DSA cert for your server and have it self-signed and still be able to function properly.
You also don’'t NEED to use a cert even if you have it.
Unless your company policy requires the certificate to be signed by an outside authority, this should work.
Thanks for the quick response. Unfortunately, I really do need to have signed certs. In my location, security is a high priority, and using self-signed certs is not going to work. I know that average Joe-User doesn’'t understand these things and will just “click through” anyway, but my clientele is savvy enough for it to make a difference.
I’‘m really just hoping that there is some undocumented property or something that could remove DSA from the cipher suite, but I fear that this may be too deeply embedded. I’‘m assuming that it’‘s Java-related, since the other Jabber servers I’'ve tested support RSA-only certs just fine.
The Thawte statement seems to apply to Java Code Signing Certs which you don’'t need.
Also not sure why you need DSA. DSA is a signature algorithm and doesn’'t do encryption.
Just go with RSA, it works fine in Wildfire.
Message was edited by: gtj
I don’'t seem to be able to “just go with RSA” – if I have a self-signed DSA cert and my CA-signed RSA cert, for some reason, Wildfire defaults to using the DSA one all the time. This means that, even though I have both certs loaded in, all the clients complain because they are getting the self-signed one.
If I just load the RSA cert, and have no DSA cert, then I get errors in the log files about not having certs for all algorithms in the cipher suite, and wildfire never listens on 522…
Am I just missing something really obvious?
Message was edited by: jephthai
That error can be caused by trying to import via the web page. The cert is imported but the private key isn’'t. No private key=no encryption.
What format do you have the RSA cert and key in? If its a java type jks keystore, follow the instructions at the bottom of the SSL guide to point wildfire to the keystore directly rather than trying to import it.
If it’'s in another format there are tools available to get it into a jks format. Check some earlier posts regarding SSL.
Thanks for that info – that was exactly what I needed to find. I had no private key (the keystore was a whopping ~900 bytes – now that I have a private key in there, it’'s 1.7K!).
For posterity, here is what worked:
- convert key and CA-signed certificate to DER format with OpenSSL
openssl pkcs8 -topk8 -nocrypt -in key -out key.der -outform der
openssl x509 -in cert -out cert.der -outform der
acquire conversion tool from http://www.comu.de/docs/tomcat_ssl.htm
(recommend setting keystore password and alias in the source code
mv ImportKey.class comu
- create JKS format keystore in home directory
java comu.ImportKey key.der cert.der
- put new keystore in place
cp ~/keystore.ImportKey /opt/wildfire/resources/security/keystore
- restart wildfire…
wildfire stop; wildfire start
And it’'s done. Whew. Clients connect… Firefox loves the cert… all is happy.
Thanks to everyone that helped! I had no idea that my private key was not in the keystore, and no easy way to find out (please don’‘t point out forum posts that discuss the private key issue – I already read them, and somehow I didn’'t put two and two together!).
Whoops – forgot to mention that my issue is answered.
Again, thanks to everyone that helped! (I appreciate your patience).