SSL chaining cert not being passed to clients - SOLUTION

So, I’ve followed several of the myriad of tutorials on importing a signed SSL cert and its corresponding key into openfire. After getting the chain certs imported into truststore and my cert/key pair imported into keystore, I have basic SSL working. However, clients are complaining that the certificate is untrusted. When I connect to port 5223 using openssl s_client, it appears that the server is not passing the chaining certificate to clients:

: jmalone@agrajag.cv; openssl s_client -connect im2.nrao.edu:5223

CONNECTED(00000003)

depth=2 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

verify error:num=19:self signed certificate in certificate chain

verify return:0

Certificate chain

0 s:/OU=Domain Control Validated/CN=*.nrao.edu

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

Server certificate

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/CN=*.nrao.edu

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

No client certificate CA names sent

SSL handshake has read 4227 bytes and written 288 bytes

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

A proper session to a server that presents my chaining cert looks like:

Certificate chain

0 s:/OU=Domain Control Validated/CN=*.nrao.edu

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Is there any way to coax Openfire into sending the chaining certificates during the handshake?

Message was edited by: Josh Malone

Updates…

So, I can see it is passing several certificates to clients, but it appears I need to add one more cert to that chain to make pidgin happy.

Has anyone successfully added a chaining cert to Openfire’s SSL and had it actually been passed in the TLS Certificate portion of the starttls reply?

Solved.

Not sure if this is the “correct” sequence, but this solved the problem for me:

1. Separate my CA’s chaining cert bundle into individual certs
2. Import all 3 of my chaining certs into ‘truststore’ using keytool (may not have been necessary… unsure)
3. Create encrypted version of my private key (openssl rsa -des3 -in my.cert.key -out my.cert.des.key)
4. Go to the import-certificate.jsp page in Openfire’s admin console
5. Enter passphrase for private key
6. Paste encrypted private key contents
7. Paste contents of my SSL cert file
8. Paste contents of my CA’s chaining bundle below my cert
9. Click ‘Save’

All is now well and pidgin is happy with my SSL

Hallo Josh and also Hello Dave Cridland (as owner of the Jira OF Project)!

Josh’s solution really works also for me. I use a server cert signed by cacert class3 (intermediate ca). And correct, if I put my cert along whith the cacert_class3.pem into the form the server behaves as desired.

The identitiy store GUI should imho state that intermediate CAs are NOT collected from the trust store automatically and ALL intermediate CAs need to be filled in.

(but also my fault because I could have read the text a bit more thoroughly)

thanks!