We can’t get Openfire to use our third-party certs. Based on our steps below, can you help us identify what we’re missing?
We’re using Openfire 3.8.2 on Windows Server 2008. We created a installation using all defaults (except we chose the integrated database option) on a development server. After installation, we browsed to the web interface via HTTPS (https://server:9091). In the browser, we viewed the certificate and saw it was using the self-signed RSA cert. So far, so good.
Using keytool, we created a keystore and sent a CSR to a third-party CA. When we got the cert back, we imported the private and public keys through the web interface.
The new certificate appears in the web interface “Server Certificate” section. However, the site was still using the self-signed RSA certificate, not the third-party cert.
Using the web interface, we removed the two self-signed certificates. Now, only our third-party cert appeared in the “Server Certificate” section. The web interface stopped responding to HTTPS. It would only respond in plain-text. We also got the message, "One or more certificates are missing. Click here to generate self-signed certificates.
Still in the web interface, we recreated the self-signed certs. The web interface responded to HTTPS again, but it once again used the self-signed certs.
We repeated the above steps using the keytool program. We got the same results.We thought maybe our cert had some errors, so we imported it into a keystore on a separate server. That server’s Apache Tomcat instance started using the cert with no problems.
So now we have a valid cert that works on other servers, but we can’t get Openfire to use it. Openfire uses either it’s self-signed certs or nothing at all. Can you point out what we’re missing?