powered by Jive Software

Server Certificates

Openfire 3.6.3 on RHEL 4. Using CACert (http://www.cacert.org) for signing. Imported CACert’s public key using command shown below. keytool -importcert -trustcacerts -alias cacert -keystore openfire\resources\security\truststore -file /root/root.crt Listed the cert to make sure it was imported. Restarted Openfire. Created self signed certificates using the Admin Console. Submitted the rsa and dsa self signed certs to CACert and received back Signed Server certs. Pasted Signed Server certs into Certificate Authority Reply: boxes and pressed Save. Got the error shown below. “An error occured while importing the Certificate Authority reply. Verify that the reply is correct and that it belongs to the correct certificate.” Now when I list the cert I get the error below. keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect Any help would be greatly appreciated!

OK, took another try using this guide.
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html

And was able to Import CACert.org’s root certificate, generate rsa and dsa key pairs, and import the CACert signed certificates. Commands are below. Domain name is changed.

keytool -import -keystore /opt/openfire/resources/security/keystore -alias cacert -file ~/root.crt

keytool -genkey -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_rsa -keyalg RSA

keytool -genkey -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_dsa

keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_dsa -file dsacertreq.csr

keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_rsa -file rsacertreq.csr

Pasted contents of dsacertreq.csr and rsacertreq.csr into CACert.org’s Certificate Signing Request box.

Made files containing CACert’s signed certificates called signeddsa.csr and signerdsa.csr.

Then imported signed certificates.

keytool -import -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_dsa -file signeddsa.csr

keytool -import -keystore /opt/openfire/resources/security/keystore -alias mydomain.com_rsa -file signedrsa.csr

And certificates list.
keytool -list -keystore /opt/openfire/resources/security/keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

mydomain.com_rsa, Feb 27, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): EA:36:6D:B6:F2:08:9B:F8:A1:58:DF:D7:DC:B2:E4:D8
mydomain.com_dsa, Feb 27, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 1B:BE:A5:C9:AD:9D:1E:47:F2:05:EC:83:94:21:86:60
cacert, Feb 27, 2009, trustedCertEntry,
Certificate fingerprint (MD5): A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

However, openfire Console Server Certificates screen now has this error.

"Unable to access certificate store. The keystore may be corrupt.
One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key. "

What ever happened with this? Did you ever get it to work correctly? I have been trying this for a day now and no luck.

I was able to get mine to work using most of the commands above. The problem I have now is if I go to the Server Certificates section I get this error.

Exception:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
     at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)
     at java.security.Signature$Delegate.engineInitSign(Unknown Source)
     at java.security.Signature.initSign(Unknown Source)
     at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)
     at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)
     at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManager.java:392)
     at org.jivesoftware.openfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dcertificates_jsp.java:548)
     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
     at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
     at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
     at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
     at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:42)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
     at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
     at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:146)
     at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
     at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
     at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
     at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
     at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
     at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
     at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
     at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
     at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
     at org.mortbay.jetty.Server.handle(Server.java:324)
     at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
     at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
     at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
     at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
     at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
     at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
     at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)