I have managed to solve the problem finally. Here is a step-by-step tutorial on how I setup SSL in openfire.
Openfire version : 3.5.0
Java version : 1.6.0
OS : Debian Etch
XMPP Server Domain : company.com
RSA Private Key : key.pem
Certificate for XMPP server domain : cert.pem
Root CA Certificate : rootca-cert.pem
Intermediate CA Certificate : interca-cert.pem
Install openfire and configure it from the web interface
Stop the openfire server
$ /etc/init.d/openfire stop
- Create a working directory and enter it
$ mkdir openfire-ssl
$ cd openfire-ssl
Now dump the files “key.pem”, “cert.pem”, “rootca-cert.pem” and “interca-cert.pem” into this directory
Next backup keystore and truststore
$ cp -a /etc/openfire/security/keystore keystore.bkup
$ cp -a /etc/openfire/security/truststore truststore.bkup
- Import the Root CA certificate into openfire truststore (if it is not already part of truststore)
$ keytool -importcert -alias “rootca” -keystore /etc/openfire/security/truststore -file rootca-cert.pem
You will be prompted for the keystore password which is “changeit” by default unless you have changed it.
- Remove the default certificates in keystore using keytool
$ keytool -delete -keystore /etc/openfire/security/keystore -alias rsa
$ keytool -delete -keystore /etc/openfire/security/keystore -alias dsa
- Convert your key into DER format
$ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
- Convert server certificate and all intermediate certificates into DER format and combine them to create a chain certificate
$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
$ openssl x509 -in interca-cert.pem -inform PEM -out interca-cert.der -outform DER
$ cat cert.der interca-cert.der > chain-cert.der
- Copy the file KeyStoreImport.java from http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and compile it
$ javac KeyStoreImport.java
- Add the domain chain certificate and the private key to keystore
$ java KeyStoreImport /etc/openfire/security/keystore chain-cert.der key.der “company.com_rsa”
You will be prompted for the Keystore password which is “changeit” by default unless you have changed it.
For Private key entry password, I entered the same as the Keystore password. Somehow if I was entering a different password it was not working (not sure why this was happening … maybe I am missing something).
- Start the openfire server
$ /etc/init.d/openfire start
- From web interface, go to Server Settings -> Server Certificates and check if the key and certificate has been added
Be sure that /etc/openfire/security/keystore and /etc/openfire/security/truststore has the proper read permission for openfire. On my system, the owner and group of the files are “openfire” and permissions are “640”.
If you get a keystore corrupt error in the web interface, just copy back the keystore file from the backup and try again. One possible reason could be because the Private Key entry password entered is different from the keystore password (mentioned about this above).