RapidSSL cert failure

Using openfire 3.10.2. I’ve been able to successfully import my RapidSSL signed cert with the CA root using the openfire server certificate admin screen. I ran into a couple of issues.

  1. The cert won’t import unless you type something into the private key passphrase field. It doesn’t matter what, mind you, just as long as something is there.

  2. I couldn’t import unless I imported the CA root cert into the truststore db directly from the commandline first. Then I could import everything from the gui.

But that all said, I can now connect to the openfire admin gui securely except one problem: I keep getting this:

Your connection to mysite.com is encrypted with obsolete cryptography.

The connection uses TLS 1.2.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.

Connecting with pidgin (windows) throws an error too telling me the cert could not be validated and when I check the cert I am told the fingerprint is SHA1.

I use the came cert/key/CA root in nginx and I am told:

Your connection to mysite.com is encrypted with modern cryptography.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

I checked the CA root cert in the trust store and I see the following fingerprints. Could the SHA1 fingerprint be causing a problem? I’m sort of lost. I’ve done everything I can think of. Does openfire just not work with RapidSSL’s certs?

Certificate fingerprints:

MD5: 71:07:82:7D:C1:8A:DC:DC:BF:16:A2:57:2C:69:47:C7

SHA1: DC:07:7C:4A:B3:42:2F:60:8C:EE:83:D9:09:8B:FC:3A:72:26:D6:A7

SHA256: 5B:87:E2:22:F2:03:46:FA:36:28:81:6E:D6:CE:71:FA:AB:A0:85:7F:B8:BC:BA:73:77:6E:A 1:FA:56:CD:00


Signature algorithm name: SHA256withRSA

Version: 3


So no one is having this problem? Everyone is able to connect using SHA256? Just trying to figure out why openfire insists on serving up SHA-1 encrypted certs when everything I’m using is set up with SHA256.

I’m not a java person, so perhaps there is some keytool magic I am missing. The same cert is used for nginx and openfire, so I import a key I generated via openssl as opposed to using keytool’s key. But openfire doesn’t appear to have an issue importing the key from the GUI, but who knows.

ANY feedback pointing me in the right direction would be extremely helpful.


RapidSSL has the following info:

Obsolete Cryptography

Warning message: “Your connection to www.[domain].com is encrypted with obsolete cryptography.”

Obsolete cryptography indicates the site’s cryptographic protocol or its cipher suites are outdated (RC4).

To resolve this warning, enable support for both TLS 1.2+ and secure cipher suites: AES-GSM or CHACHA20_POLY1305.

Is there a way to do this…if it is the problem…which I don’t know because responses seem to be kind of a rare thing on this forum.