We can’t get Openfire to use our third-party certs. Based on our steps below, can you help us identify what we’re missing?
We’re using Openfire 3.8.2 on Windows Server 2008. We created a installation using all defaults (except we chose the integrated database option) on a development server. After installation, we browsed to the web interface via HTTPS (https://server:9091). In the browser, we viewed the certificate and saw it was using the self-signed RSA cert. So far, so good.
-
Using keytool, we created a keystore and sent a CSR to a third-party CA. When we got the cert back, we imported the private and public keys through the web interface.
-
The new certificate appears in the web interface “Server Certificate” section. However, the site was still using the self-signed RSA certificate, not the third-party cert.
-
Using the web interface, we removed the two self-signed certificates. Now, only our third-party cert appeared in the “Server Certificate” section. The web interface stopped responding to HTTPS. It would only respond in plain-text. We also got the message, "One or more certificates are missing. Click here to generate self-signed certificates.
-
Still in the web interface, we recreated the self-signed certs. The web interface responded to HTTPS again, but it once again used the self-signed certs.
We repeated the above steps using the keytool program. We got the same results.We thought maybe our cert had some errors, so we imported it into a keystore on a separate server. That server’s Apache Tomcat instance started using the cert with no problems.
So now we have a valid cert that works on other servers, but we can’t get Openfire to use it. Openfire uses either it’s self-signed certs or nothing at all. Can you point out what we’re missing?