Openfire wil only use self-signed cert. Won't use third-party cert

We can’t get Openfire to use our third-party certs. Based on our steps below, can you help us identify what we’re missing?

We’re using Openfire 3.8.2 on Windows Server 2008. We created a installation using all defaults (except we chose the integrated database option) on a development server. After installation, we browsed to the web interface via HTTPS (https://server:9091). In the browser, we viewed the certificate and saw it was using the self-signed RSA cert. So far, so good.

  1. Using keytool, we created a keystore and sent a CSR to a third-party CA. When we got the cert back, we imported the private and public keys through the web interface.

  2. The new certificate appears in the web interface “Server Certificate” section. However, the site was still using the self-signed RSA certificate, not the third-party cert.

  3. Using the web interface, we removed the two self-signed certificates. Now, only our third-party cert appeared in the “Server Certificate” section. The web interface stopped responding to HTTPS. It would only respond in plain-text. We also got the message, "One or more certificates are missing. Click here to generate self-signed certificates.

  4. Still in the web interface, we recreated the self-signed certs. The web interface responded to HTTPS again, but it once again used the self-signed certs.

We repeated the above steps using the keytool program. We got the same results.We thought maybe our cert had some errors, so we imported it into a keystore on a separate server. That server’s Apache Tomcat instance started using the cert with no problems.

So now we have a valid cert that works on other servers, but we can’t get Openfire to use it. Openfire uses either it’s self-signed certs or nothing at all. Can you point out what we’re missing?

Same issue.

Openfire 3.10.0

Windows 2012

I had similar issue (RHEL-7)

I had it fixed using the following steps.

Create Keystore & CSR file

cd /opt/openfire/resources/security/

keytool -genkey -keyalg RSA -keysize 2048 -keystore keystore -alias -file /opt/openfire/resources/security/yourdomain-com.csr

CA will send you 4 files in return.

Combine them in a single file.

cat youdomain_com.crt > /opt/openfire/resources/security/combine.crt

vi /opt/openfire/resources/security/combine.crt (add a blank line to separate the certs)

cat COMODORSADomainValidationSecureServerCA.crt >> /opt/openfire/resources/security/combine.crt

vi /opt/openfire/resources/security/combine.crt(add a blank line to separate the certs)

cat AddTrustExternalCARoot.crt >> /opt/openfire/resources/security/combine.crt

Import combined crts into keystore

cd /opt/openfire/resources/security/

keytool -import -keystore keystore -alias -file combine.crt

restart openfire

/etc/init.d/openfire restart

Next add the following values via web admin console














There is an issue though, when a user signs in from an app, an errors message is thrown saying “server cert is not signed by a known CA”

Still figuring out how to fix this one.

Disclaimer: I’m no expert (rather a newbie). After hours of googling and some help from an expert admin, I reached so far.


1 Like