SSL Certificate Just Will Not Install

I think I’ve attempted everything while trying to get this certificate installed. I’ve been using openfire with the fastpath plugin for years and I have never had any issues. We wanted to integrate it into our checkout screen which requires SSL. We’re a reseller for enom, so I go onto the site and grab an SSL. Easy enough … so I thought. We are running openfire on IIS7 and like I said, never had a problem. I have attempted to install the cert using the Server certificates tab in the admin panel. I use the CSR generated by openfire and attempt to install the certificate authority and I get:

“An error occured while importing the Certificate Authority reply. Verify that the reply is correct and that it belongs to the correct certificate.”

I can’t understand why being that the CSR came from openfire. Okay, so I decide to go another route. I tried this setting up these:

  • xmpp.socket.ssl.active
  • xmpp.socket.ssl.port
  • xmpp.socket.ssl.storeType
  • xmpp.socket.ssl.keystore
  • xmpp.socket.ssl.keypass
  • xmpp.socket.ssl.truststore
  • xmpp.socket.ssl.trustpass
    at the command prompt I go to c:\program files\openfire\jre\bin and I run keytool -import -keystore keystore -alias chat.mydomain.com -file chat.mydomain.com.cer

That creates a file which I then place in the c:\program files\openfire\resources\security folder, which my xmpp.socket.ssl.keystore is pointed to.

I then get this:

“Unable to access certificate store. The keystore may be corrupt.
One or more certificates are missing. Click here to generate self-signed certificates or http://127.0.0.1:9090/import-certificate.jsphere to import a signed certificate and its private key.”

and sometimes this:

“java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance” with a bunch of jibberish after it.

When I try to access fastpath with the above mentioned error I get a response from FireFox indicating that the SSL certificate wasn’t installed properly.

In addition, I’ve installed the cert into IIS7 and then exported it with the private key. I’ve then used openssl to decrypt the key into part and attempted to import the key into openfire, resulting in “There was an error one importing private key and signed certificate.”

I’m going nuts! I have never encountered a SSL install that’s making me pull my hair out!

Please … Anyone have any suggestions?

They’re greatly appreciated!

I spent 20 hours on this and finally got the answer, eventhough it’s a wierd solution, it worked for me. Since no one replied I had to just start from scratch and troubleshoot myself.

I reinstalled Openfire on the Server '08 machine and installed it again 3 or 4 times. Each time removing the database and clearing out the directories. I was using a mysql database.

I decided to try another machine. I moved openfire to our mssql machine and installed it on there. It’s running Server '03. The certificate installed fine using the method of breaking down the exported cert via openssl.

So I changed the following: From: MS Server '08 w/mysql database ----> To: MS Server '03 w/mssql database.

Work’s great now…

Ditto, it won’t work for me either.


— verify keystore is empty ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -list
— import CA certificate ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -import -alias cacert -file /tmp/cacert.pem
— Generate a key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -genkey -alias mormail-rsa -keyalg RSA
— Export the key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -alias mormail-rsa -certreq -file mormail-rsa.csr
— Move the CSR to the signing machine —
tun # scp mormail-rsa.csr awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
---- Sign the cerification ----
$ openssl ca -policy policy_anything -days 730 -in mormail-rsa.csr -out mormail-rsa.cert
---- Convert to DER ----
$ openssl x509 -in mormail-rsa.cert -inform PEM -out mormail-rsa.cert.der -outform DER
---- Move the certificate back to the openfire server ----
$ scp mormail-rsa.cert.der root@tun.mormail.com:/tmp
---- Import the certificate —
tun # /gre/bin/keytool -import -keystore ./resources/security/keystore
-alias mormail-rsa -file /tmp/mormail-rsa.cert.der
-keyalg RSA
– and… —
java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance