SSL and CAcert?

I’‘ve been trying to get a certificate signed by CAcert. However, while following the instructions from the SSL guide, CAcert always rejects the CSR. I’‘m generating the keystore and CSR using keytool. The error CAcert gives me is that the common name is blank, or the domain isn’‘t verified. Well, my domain is verified, and the common name isn’‘t blank, so I’'m chalking this up to a possible incompatibility with the way Java handles the keys and what CAcert expects. Most of their stuff uses OpenSSL for examples.

So, has anyone else done this successfully? Thanks!

For some weird reason, that link has a %20 in it and I can’‘t get it to go away. Anyway, it’'s the SSL guide available in the documentation section for Wildfire.

Did you figure this out? The EXACT same thing is happening to me…

Nope, I’‘ve not figured it out, though I haven’‘t messed with it lately. It’‘d be really nice if Wildfire would use (or at least work with) OpenSSL certs instead of the keytool stuff. I’‘ve also found tutorials for converting from keytool to OpenSSL, but not the other way around (at least, I think that’‘s what it was… it didn’'t solve the problem for me.)

Yea, even when I would convert the key from keytool to a valid OpenSSL cert it would still fail for me.

Has anyone else out there experienced this problem? Any solution?

FWIW I didn’‘t have that problem (Yay) but I can’'t get wildfire to actually -use- the signed cert. (Wildfire 2.5.1, following the ssl howto)

  • Updated to be correct, thanks jadestorm! **

keytool -genkey -keystore keystore -alias my.staging.server -dname “CN=my.staging.server”

keytool -certreq -keystore keystore -alias my.staging.server -file certificate_file

keytool -import -keystore keystore -alias carootcert -file root.crt

keytool -import -keystore keystore -alias my.staging.server -file certificate_signed

keytool -delete -keystore keystore -alias rsa

keytool -delete -keystore keystore -alias dsa

If you have Gaim (or Gaim-derived) clients, they will crash on connect if you don’'t also generate an RSA key:

keytool -genkey -keystore keystore -alias my.staging.server-rsa -dname “CN=my.staging.server” -keyalg rsa

keytool -certreq -keystore keystore -alias my.staging.server-rsa -file certificate_file.rsa

keytool -import -keystore keystore -alias my.staging.server-rsa -file certificate_signed.rsa

For clarity, you should receive “Certificate reply was installed in keystore” when you do the import. And the only keys you should delete are the default “rsa” and “dsa” self-signed keys.

Updated to have correct/complete directions.

Message was edited by: Dis

One minor update. If you leave the self-signed in place, it will happily serve it (which results in all the usual warnings about having a self-signed cert.) And keytool -export -rfc | openssl x509 -text shows an interesting difference. The self-signed is sigalg md5WithRSAEncryption, the cacert sig is sha1WithRSAEncryption. Not sure if that matters or not, but there it is. Otherwise (to my untrained eye at least) they look the same.

I got further than mysticone, but not as far as Dis. =/ Basically I get to:

keytool -import -keystore keystore -alias my.staging.server -file certificate_signed

And then I get the following error:

keytool error: java.lang.Exception: Failed to establish chain from reply

Whoa! I may have gotten it! I had to import this:

into the keystore and all of a sudden my cert was happy to import. ;D

So all of my steps were this:

  1. I deleted all of the built-in certs from the web interface

  2. cd /opt/wildfire/resources/security

  3. keytool -storepasswd -keystore keystore (changed the password to something of my own)

  4. keytool -import -keystore keystore -alias cacertroot -file root.crt (this is the root.crt mentioned above)

  5. keytool -genkey -keystore keystore -alias jabber-dsa -dname “

  6. keytool -certreq -keystore keystore -alias jabber-dsa -file dsa_certificate_request

  7. pasted dsa_certificate_request into’'s new cert box

  8. copy and pasted the signed cert returned to me into dsa_certificate_signed

  9. keytool -import -keystore keystore -alias jabber-dsa -file dsa_certificate_signed

  10. keytool -genkey --keyalg rsa -keystore keystore -alias jabber-rsa -dname “

  11. keytool -certreq -keystore keystore -alias jabber-rsa -file rsa_certificate_request

  12. pasted rsa_certificate_request into’'s new cert box

13… copy and pasted the signed cert returned to me into rsa_certificate_signed

  1. keytool -import -keystore keystore -alias jabber-rsa -file rsa_certificate_signed

  2. from the wildfire admin console, added the system property xmpp.socket.ssl.keypass, set to the password from #3

  3. restarted the server

  4. low and behold, there’'s my certificate(s)!


Message was edited by: jadestorm

Updated to include both dsa and rsa pieces.

Message was edited by: jadestorm

Updated again, after running through the steps myself and having them work.

Also note that certs, for some reason, always seem to start “a little in the future”, so the cert will not immediately work. Psi will tell you exactly when the certificate will begin being valid.

Let me also point out that I am running 2.6.0beta. I don’'t know if that makes a difference.

Yes! The -dname “” is what I was missing, as well as importing the root certificate (I never got that far on the server, though I imported it on my own machine at home). Hooray for jadestorm! I now have a working, CAcert-signed certificate as well!

To all:

Earlier today, I figured out a way to use OpenSSL and keytool to import a self-cert. No need to use CACert. I will post a new thread with the details by tomorrow evening.


  • Update **

The method I mentioned above was simply to give the openssl self-cert method a try. It seems like most people will opt to request one from CACert, so I won’'t be posting any further details.


Were you unable to do it following the instructions in the Wildfire SSL HOWTO? It tells you how to generate a self-signed certificate. Or were you trying to move over an existing one?

The whole point of using CAcert is to have someone else sign your certificate. CAcert just happens to be a free certificate authority. They’'re not accepted by default in mainstream browsers at the moment (due to expensive fees for silly, meainingless certifications), but you can easily add their root certificate to your browser and such to have it trust CAcert-signed sites.

That was what I was missing - I was loading them in the wrong order (or not at all) and deleting the private key. Way to go, it works like a champ

If you have gaim (or gaim-derived) clients, you will need to also generate an rsa key. (Symptoms include gaim crashing without warning if tls or ssl is enabled.) Just repeat the -genkey through -import, with -keyalg rsa added to genkey (and a new alias - I just used jabber-dsa and jabber-rsa.)

Just a quick fair warning to others. =) It appears to be required that you use at least jdk 1.5.0 (aka 5.0?) to use rsa. Otherwise you will get an error similar to:

keytool error: subject key, Unknown key spec: Invalid RSA modulus size.


That problem might not be version-related specifically. If you get this error, you might try installing the unlimited-strength crypto package from (Be sure to make sure its legal where you are.)

Oh, and (if that doesn’'t work) maybe 1.5 should be listed as a minimum version for ssl, given that gaim-derived clients seem to be in the majority out ‘‘in the world’’ (as opposed to enterprises where you can choose a single client that works.)



obviously many ppl are having problems with cacert certificates.

maybe i have an idea concerning the reason.

look at this thread:

i am getting exactly the same error-messages.

maybe the only difference between the people with working cacert certificates and non-working cacert certificates is that the people with the working ones are fully assured by cacert? could there be any difference beyond the certificate lifetime when you are “fully assured” ?

i followed your steps exactly (generated and imported nice dsa and rsa cacert certificates and the root cert… everything went fine & without errors), the only remaining problem is, that i am getting the errors mentioned in the thread above.

at ava:146)

2006.09.30 12:28:20 va:168) Kann SSL-Socket nicht einrichten No available certificate or key corresponds to the SSL cipher suites which are enabled.

at Source)

at Source)

any hints?

i am really looking forward getting this up & running one day

A great many thanks to jadestorm and all others having worked on this!

You just made my day and it’'s gonna be a good one .-)

I had wrecked my keystore about 5 times before getting to this solution and it worked perfectly in a matter of minutes!

Also: I am not fully certified with and it still went well…


A question to this:

  1. keytool -import -keystore keystore -alias cacertroot -file root.crt (this is the root.crt mentioned above)

When I try to import a root ca certificate of 4096 bit length I get this error:

java.lang.Exception: Input not an X.509 cetificate.

openssl x509 -noout -text -in <rootca.file> show no errors.

import of an 2048 bit certificate shows no problems.

we use java Is this a bug or what is going wrong ?