Openfire SSL on Windows Server - unable to import existing PFX cert


I have an exported PKF file from a Windows server that I want to use on the Openfire server (it’s a GoDaddy wildcard cert).

  • I’ve used OPENSSL to break the keyfile out of the PKF file.

  • I’ve used SSL SHOPPER website to break the keyfile out of the PKF file (same results).

  • I’ve used OPENSSL and SSL SHOPPER website to separate the CRT file from the KEYFILE (again, same results from both).

  • I’ve used “keytool” to import the cert into the trust store and verified that it’s there using “keytool -list” after importting

  • I’ve imported the godaddy intermediate cert bundle into the keystore

  • I’ve been able to import the CERT / KEYFILE Into other apps on Windows and apache but NOT openfire

No matter what I do I am not able to paste the contents of the keyfile / certfile into the SSL import screen on openfire. I get the message:

There was an error one importing private key and signed certificate. Error message: org.bouncycastle.cert.X509CertificateHolder cannot be cast to org.bouncycastle.openssl.PEMKeyPair

I have tried this with the PASSPHRASE field populated with the PFX password, with the PASSPHRASE field empty, and with the PASSPHRASE populated with just “abc” as indicated in other posts…no matter what I do I am not able to import my existing cert.

I can convert this valid PFX file any way that is required, but no matter what I do I can’t get this existing cert to import into openfire.

Can someone please let me know if they have successfully used a PFX file with OpenFire setup? I really want to get away from the self signed cert and secure things, but I just can’t get there…thanks in advance everyone!

I have found a way to get my PFX certificate to work and be imported correctly every time…I thought I’d post what I had to do here to help everyone out (Note: this is on a WINDOWS installation running on Server 2008 R2 but this should work on Linux / Unix as well):

  1. Backup the “\openfire\resources\security” folder

  2. Using the SSL Converter tool @, take your PFX file and convert from type: PFX/PKCS#12 to STANDARD PEM…and of course enter your PFX password. The result will be a PEM file that has both your PRIVATE KEY and CERTIFICATE in it. ** Please be sure to keep the PRIVATE KEY of your server secure!

  3. Obtain your intermediate certificate bundle from your SSL cert provider if necessary (i.e. GoDaddy it’s “gd_bundle.crt”).

  4. Drop to DOS and change to the directory where OPENFIRE is installed and change to \openfire\resources\security. In this folder, you should see files called truststore and keystore. Using KEYTOOL (should be in your path from your installation of JAVA…if not, use the KEYTOOL.EXE in the Openfire JRE folder @ \openfire\jre\bin\keytool.exe) type the following: “keytool -importcert -file gd_bundle.crt -keystore truststore” and when prompted for a password, use ‘changeit’ . This imports the intermediate certificate into your TRUSTED ROOT LIST … this may or may not be required by your provider.

  5. Once everything is straight and you have converted your certificate into a PEM, the rest is done through the web interface of the admin console.

  • Server Settings --> Server Certificates --> click HERE to import a signed cert

  • Pass phrase used for creating Private Key: changeit

  • Content of Private Key: copy and paste EVERYTHING from your converted PEM file between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----, including these tags.

  • Content of Certificate File: copy and paste EVERYTHING from your converted PEM file between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, including these tags.

  1. If everything was done correctly, you should have a certificate added that has a status of “CA SIGNED RSA CERTIFICATE”. If that is the case, DELETE the (2) self signed certificates and leave the SIGNED cert, and restart OPEN FIRE SERVER.