SSL Certificates stuck in "Pending Verification"

I’m trying to get SSL to work. I have a certificate for my domain (signed by DigiCert, I believe) and I’ve download the root certificates from DigiCert, specifically the High Assurance CA-3 certificate and High Assurance EV Root CA certificate. I imported them to my keystore using a command similar to:

keytool -import -trustcacerts -alias highassuranceca3 -file DigiCertHighAssuranceEVRootCA.crt -keystore my_keystore.jks

Then I copy the keystore to my OpenFire base directory and restart the server.

When I go to Server Settings -> Server Certificates, I see the certificates I added there and my domain certificate seems fine and says “CA Signed” for it’s status but the other (digicert) certificates always say “Pending Verification” and have a dialog box for “Certificate Authority Reply”. No matter what I do, they always say “Pending Verification”. I’ve tried importing them without the -trustcacerts options. I’ve tried importing the entrust ceritifcates and I always have the same problem. What can I do??

I could be mistaken, but I think EV certs require business verification – meaning they call you on the phone or mail something to you, you answer some questionere about yourself and type of business, etc. Usually EV certs take 1-2 weeks to get through the entire process.

I would contact whoever you purchased the SSL cert through, and check the status of the process. If you believe you have already completed the process, then I’d really call them and see what’s going on.

I don’t believe this has anything to do with Openfire – it’s a SSL cert issue.

– Just my 2 cents :stuck_out_tongue_winking_eye:

PS: If you google “godaddy ssl”, the first few links will take you to a “hidden” page on godaddy that will sell you a SSL cert for as cheap as $6… it’s not EV meaning you wont get the fancy green bar and stuff, but it provides the same security as far as the encryption goes etc… The green bar EV certs are usually to give a visual queue to visitors/customers that you use SSL… but it’s not required.

I actually contacted DigiCert and they led me to their webpage where they had their root cetificates available for download. FYI, they are at:

These certificates are already signed and verfied and all ready to go.

This is a problem with OpenFire, not with the certificates as I have the same problem with entrust’s certificates too. It is possible it is a problem with keytool, but right now it looks like an OpenFire problem.

We have already paid for verified certificates from DigiCert, and we’ve been using it on our website for a long time now. It imports successfully and shows up correctly in OpenFire. The problem is that it can’t be validated by the clients that connect because the root certificates still show “Pending Verification”.

Is this a wildcard SSL cert?

Yes it is.

Hmm… given you’re using it on the same domain as it’s registerd to, but on some new subdomain… then you should be ok based on the description you provided. Maybe someone else can chime in here… wroot, any ideas? Have you run into this before?

Other than calling your SSL cert provider, I’m out of ideas… it sounds like your client systems are not trusting the cert for whatever reason, and unless it’s a self-signed cert, then they should be trusting it imo. If it’s a proper cert from a real CA (it sounds like it should be) then trust should be established already… weird. :-/

Jason wrote:

wroot, any ideas? Have you run into this before?

Unfortunatelly this is out of my knowledge. I only use self-signed certificates in Openfire.

Probably nothing helpful, but i’m not sure how xmpp clients work with SSL. E.g. we have an app in our network and it needs to be able totrust some certificates. We import these certificates via group policy in AD to every domain computers root trust certificates store. This can be done manually for single computers.

Hmm… ya that’s how I would normally do it with a self signed cert… but a public CA signed cert should already have established trust by most browsers/devices, as this is the very point of a publically signed cert from a real CA. If it’s a self-signed cert, then you’re right, you’d need to establish that trust ahead of time via GPO or push the cert to devices/browswers somehow and tell them to trust the cert.

@Michael – I’m not sure how much help it would be, but if you’re comfortable posting your URL with the troubled SSL cert here, or PM it to me, I can load it up and see if I get the same problem… perhaps somethign obvious will jump out (second set of eyes sort of thing)…

Maybe that’s the case with widely known CAs, but not all of them are automatically known to browsers or other applications (i think RapidSSL is one of them and some other local authorities in our region).

This is for my job so I’m not sure I can post the URL here. Let me check with my supervisor and see if it’s ok.

Normally, we are fine using self-signed certificates but the problem is that we use a custom bot that uses libpurple to talk to the OpenFire chat server and I can’t figure out how to get libpurple to “accept” the self-signed certificate (basically what happens when you click “accept” in pidgin or a similar chat client. It needs to just work like it would if the certificate chain was valid.

Hmm, is it possible to import new root CA’s into libpurple? (I’m unfamiliar with working with libpurple so don’t know how they handle certs and the like). Perhaps during your compilation phase or something…

Also, perhaps this pertains to your situation? :

Yes but most other “tiers” of CA’s gain trust via a larger CA somewhere upstream. So most large CA’s should have automatic trust established with *most *browsers/devices. Not always, but in my experience if you purchase SSL from a major vendor, then you will generally be OK.

Hey, did you ever get this “resolved”? I had the same problem today trying to get my certs working with 3.10.2, but it turns out that in this situation the whole “Pending Verification” thing just doesn’t matter. Even though it reports that way in the web config, your certificates still installed correctly, and are still used to validate both https:// and Jabber connections over SSL.

Did you ever actually try just using the server? The other people in this thread telling you that it had something to do with your certs were probably wrong. I’m betting you installed the certificates just fine and you got hung up on this “error” message. It seems to just be a bug of the web config. For some reason it sees the manually installed certificates as a new certificate request and generates a new CSR. Just ignore it.

1 Like

SSL certificate chain resolver |

use this site and paste the result as the reply.

I already installed Wildcard certificate on openfire and it’s working well.

Just follow thoose steps answered by me here ssl certificate - Openfire SSL certificat - Stack Overflow

And do not use openfire admin interface

I had the same problem than Daniel Castellanos. And, I did what you suggest and… bam!! My problem about “Pending Verification” resolved thanks to you!!!

This solutions really work for those whom have an already signed certificate but when import it to openfire stucks in “Pending Verification”. The process is very simple:

1.- Go to the link provided by Dali

2.- Paste the content of certificate.crt file (or upload it)

3.- Once the certificate chain is generated, copy the content and then paste in the text field in openfire console (below the entry of your certificate). Click save and done!!! No more “Pending Verification” issues

Thanks @Dali for your help!

Was hopeful when I found this discussion (and it’s somewhat recent) but I’ve been unable to get the site to accept the CA file. Claims “This is not a valid certificate” when I know it is ;(

I found this site which claimed to do the same thing. What’s My Chain Cert?

I was able to get the crt file but applying that in the input box in openfire didn’t remove the pending error.