powered by Jive Software

OpenFire's horrible SSL support

So, I’ve been browsing this and other sites for the last 2 days trying to figure out how to work with OpenFire+SSL+renewed-cert. Perhaps their instructions work for some people, but obviously there is something flawed because the community and google are just cluttered with thousands of people having issues. In fact there are so many issues that I can’t find the solution to my problem(although I see several unanswered ports with identical problems), and I cant even find information as to whether OpenFire plans on implementing any type of sane certificate handling in the future.

Does anyone know if OpenFire plans on fixing their SSL support and perhaps using something other than the ill-documented ‘keytool’? Google is so overloaded with OpenFire+keytool+ssl problems that I can’t even find heads or tails about the future of it. From the lack of responses from many of the ssl posts it seems like the OpenFire devs simply don’t care. That given, I cannot in good consience continue using this as it always seems to lead to headaches. I’ve done ssl certs many times and on many distros, and sure, they aren’t super-simple, but… OMG, this is redic.

I would post my problem, but there are plenty of other unanswered posts about SSL(with totally adaquate logs/debug/details). Perhaps there is even an answer somewhere, but in the haystack of openfire+ssl problems, I have (like many others) been unable to find the needle that is my solution.

-d

Can you describe your specific problem? I’ve got some documentation I use internally that has helped with our management of certificates with java keystores.

Thanks for replying David,

I’ve gone over so many different methods and forum/google posts that I can’t really elaborate a specific error message without pasting 20+pages of strange errors and other nonsense. So I’ll just start with this question. If you have an answer I would really appreciate it.

How do you export a private key from one OpenFire installation to another? I have to upgrade a production system and I can’t just have it down for 2 days while I troubleshoot some strange ssl/keytool error or another. So, the most sane path I see through this is to setup a test system and duplicate the prodcution instance. I plan on doing the following, but so far even #1 and #2 have been giving me problems.

Just to warn you, I’ve tried quite a few methods of doing this so far without success. I have been working through this forum and google for several days without success. This seems to be a very common occurance with openfire+ssl unfortunately.

  1. Export private key from production instance

  2. Import private key into test instance

  3. Verify Test openfire is alright.

  4. Export current SA-signed crt from production instance

  5. Import current SA-signed crt into test instance

  6. Verify Test openfire is alright

  7. Install new SA-Signed crt into test instance

  8. Tell openfire to use the NEW SA-signed crt on the test instance.

  9. Verify the test instance is working as expected

  10. Repeate process on production instance with minimal downtime.

I need to use a test system because the documentation (for openfire and/or keytool) does not help me to understand this enough to answer the basic question ‘will everything break when I restart openfire with a second sa-signed crt’.

-d

Maybe it won’t answer your question, but here’s how I do it.

I have two two-node Openfire instances - One production, one for DR (also we sometimes move production to it when we’re doing work on systems/databases during maintenance windows). I pretty much treat the DR stuff as dev.

I have a wildcard cert *.domain.com, which i installed into dev using a mixture of tools. Since I basically have a key, cert and intermediate CA cert to deal with, it’s pretty straight forward.

To move this into production, I just shutdown Openfire in production, copy over the /opt/openfire/resources/security/keystore file from DR to production and restart Openfire. The Openfire configs are identical, so the keystore password is the same.

Short answer is I don’t use Java/Openfire at all for key management. I use OpenSSL to build a key, sent it off to get signed, then bundled the key, cert and Intermed-CA together. We pretty much blow away the JKS every time we update the cert (which is probably overkill, but it’s simpler that way) and just reimport the whole lot.