Hello,
We have an existing OpenFire 3.6.4 installating using a valididated, signed GeoTrust QuickSSL certificate. Our certificate is due to expire on October 11th 2010 and we have requested a new certificate from the provider.
Our current certificate and keystore configuration, which is working looks like this:
[root@xx1 x]# keytool --list -keystore truststore -storepass | grep "geo"
geotrustglobalca, Jul 19, 2003, trustedCertEntry,
[root@xx1 x]#
And has been successfully validating our existing certificates:
[root@xx1 x]# keytool --list -keystore keystore -storepass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
xx1.domain.net_2, Oct 8, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): F0:8A:88:F7:8A:49:5B:42:E1:7E:D7:0A:D2:44:38:47
xx1.domain.net_1, Oct 8, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): F0:8A:88:F7:8A:49:5B:42:E1:7E:D7:0A:D2:44:38:47
[root@xx1 x]#
As we have an existing certificate, we generated a CSR using OpenSSL, had GeoTrust sign it and know how the CSR, Key and Signed certificate. Note that GeoTrust’s “Global CA” is already present in our truststore as shown above.
We attempted to “Import Signed Certficate” under ‘Server Certificates’ > ‘Import’ in OpenFire but receive error:
“There was an error one importing private key and signed certificate. Error message: Failed to establish chain from reply”
Note: We have already installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
We have tested the keytool import processes available here: http://community.igniterealtime.org/docs/DOC-1243 and here: http://community.igniterealtime.org/docs/DOC-1092 but neither of these worked.
As it stands, we have a remaining 20 days on our production certificate but no way to replace the current certificate with a working version.
We have also tested OpenFire 3.7.0 beta but the same issues exist.
From reading forums, it appears many users have major issues with SSL in the OpenFire platform. I’m surprised Ignite has not provided better documentation for certificate management processes, both GUI and keytool based.
Thank for your help!