powered by Jive Software

Openfire and SSL

I have been trying for about 1 day to get Openfire set up with SSL but have not succeeded. I am not a novice yet I am just unable to set it up. Here is what I have right now:

  1. My domain is “im.spinaxys.com

  2. Decrypted private key in PEM format


BEGIN RSA PRIVATE KEY-----

0DDqOMbM6JWGZigMsUIjFfZgi9bIQItifQpRmiOmh9fFS4nKXfFtAyc1bKANALQs

.

.


END RSA PRIVATE KEY-----

  1. Wild card signed certificate for “*.spinaxys.com” in PEM FORMAT

BEGIN CERTIFICATE-----

MIIINzCCBx+gAwIBAgIDAathMA0GCSqGSIb3DQEBBQUAMIG2MQswCQYDVQQGEwJJ

.

.


END CERTIFICATE-----

  1. CA (http://cert.startcom.org/) root certificate in PEM format (I believe this CA is already part of openfire trusted CAs)

BEGIN CERTIFICATE-----

MIIFFjCCBH+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

.

.


END CERTIFICATE-----

  1. CA intermediate certificate

BEGIN CERTIFICATE-----

MIIHdzCCBuCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

.

.


END CERTIFICATE-----

I guess this is all that is ever needed to set up SSL support for a server. I must have read atleast a zillion documents trying to achive this but to no use :).

I would be really grateful if anyone could give step by step instructions on how to set up SSL in openfire with the above files. Thanks !!!

what OS are you running?

I am using Debian Etch. Today using the guidelines provided at http://www.igniterealtime.org/community/message/151675#151675 I was able to import the private key and certficate (with a few more additional steps). But one problem remains. I still get the error “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” though the certificate status is “CA Signed”. Thus whenever I connect to any of the SSL ports, it says the CA wasn’t able to be verified (though the root CA’s cert is already installed in firefox). What is the solution for this? To be more precise, how do I make Openfire offer the chain certificate (and not just my domain certificate) to my browser?

I am planning to write a step-by-step instruction here on configuring SSL in openfire using our own key and certificate once I get this problem solved.

Looking forward to a resonse. Thanks.

I have managed to solve the problem finally. Here is a step-by-step tutorial on how I setup SSL in openfire.

Openfire version : 3.5.0

Java version : 1.6.0

OS : Debian Etch

XMPP Server Domain : company.com

RSA Private Key : key.pem

Certificate for XMPP server domain : cert.pem

Root CA Certificate : rootca-cert.pem

Intermediate CA Certificate : interca-cert.pem

  1. Install openfire and configure it from the web interface

  2. Stop the openfire server

$ /etc/init.d/openfire stop

  1. Create a working directory and enter it

$ mkdir openfire-ssl

$ cd openfire-ssl

  1. Now dump the files “key.pem”, “cert.pem”, “rootca-cert.pem” and “interca-cert.pem” into this directory

  2. Next backup keystore and truststore

$ cp -a /etc/openfire/security/keystore keystore.bkup

$ cp -a /etc/openfire/security/truststore truststore.bkup

  1. Import the Root CA certificate into openfire truststore (if it is not already part of truststore)

$ keytool -importcert -alias “rootca” -keystore /etc/openfire/security/truststore -file rootca-cert.pem

You will be prompted for the keystore password which is “changeit” by default unless you have changed it.

  1. Remove the default certificates in keystore using keytool

$ keytool -delete -keystore /etc/openfire/security/keystore -alias rsa

$ keytool -delete -keystore /etc/openfire/security/keystore -alias dsa

  1. Convert your key into DER format

$ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

  1. Convert server certificate and all intermediate certificates into DER format and combine them to create a chain certificate

$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

$ openssl x509 -in interca-cert.pem -inform PEM -out interca-cert.der -outform DER

$ cat cert.der interca-cert.der > chain-cert.der

  1. Copy the file KeyStoreImport.java from http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and compile it

$ javac KeyStoreImport.java

  1. Add the domain chain certificate and the private key to keystore

$ java KeyStoreImport /etc/openfire/security/keystore chain-cert.der key.der “company.com_rsa”

You will be prompted for the Keystore password which is “changeit” by default unless you have changed it.

For Private key entry password, I entered the same as the Keystore password. Somehow if I was entering a different password it was not working (not sure why this was happening … maybe I am missing something).

  1. Start the openfire server

$ /etc/init.d/openfire start

  1. From web interface, go to Server Settings -> Server Certificates and check if the key and certificate has been added

Notes:

  1. Be sure that /etc/openfire/security/keystore and /etc/openfire/security/truststore has the proper read permission for openfire. On my system, the owner and group of the files are “openfire” and permissions are “640”.

  2. If you get a keystore corrupt error in the web interface, just copy back the keystore file from the backup and try again. One possible reason could be because the Private Key entry password entered is different from the keystore password (mentioned about this above).

Rahul, thanks for the step-by-step process. I’ve been fighting OpenFire for days now and just finished trying this approach. Unfortunately, I’m getting the error below on the last step. Do you have any thoughts?

[root@vps wave-protocol]# java -cp . KeyStoreImport /opt/openfire/resources/security/keystore ./chain-cert.der traitwise.key.der "traitwise.com"
Keystore password:
changeit
java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1716)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:303)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:532)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:4 17)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.j ava:427)
at KeyStoreImport.main(KeyStoreImport.java:70)