Hi,
I have running Openfire with ssl and it seems working but I’d want to tell you my experience:
have a server certificate signed by ipsCA and read time after time http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html as well as other forum threads and blogs.
This is my current setting of postgresql
“xmpp.auth.anonymous”;“false”
“xmpp.client.tls.policy”;“optional”
“xmpp.domain”;“notrevealed.onedomain”
“xmpp.server.certificate.accept-selfsigned”;“false”
“xmpp.server.dialback.enabled”;“true”
“xmpp.server.tls.enabled”;“true”
“xmpp.session.conflict-limit”;“1”
“xmpp.socket.ssl”;“5223”
“xmpp.socket.ssl.active”;“true”
“xmpp.socket.ssl.keypass”;“changeit”
“xmpp.socket.ssl.storeType”;“JKS”
“xmpp.socket.ssl.trustpass”;“notrevealed;)”
I’ve tried using keytool from command line:
*adding root ca and intermediate ca certificate to /opt/openfire/jre/lib/security/cacerts
*adding root ca and intermediate ca certificate to /opt/openfire.backup/resources/security/truststore
*adding server certificate to openfire /opt/openfire.backup/resources/security/keystore
(Anyway I think that one of them it was a needed but not sufficient step)
Neither of them fixed the issue, either certificate didn’t appear on Server Certificates section of Web Administration Interface or there was a problen with the chain.
I’ve even tried to use KeyStoreImport http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and import the private key
The solution was more or less (On Web UI):
- Paste the private key
- Paste the server certificate and below the intermediate CA certificate
- Delete the self-signed certificate
- Paste the private key
- Paste the server certificate and below the intermediate CA certificate
Yes I had to do it twice, I don’t understand why, it seems that private key it is not imported correctly. The only issue that I see as a weird thing is that it show the certificate twice but when I use keytool it tells me that there “contains 2 entries”
What do you think, or better what is your real experience about this topic?
Greetings