Developers: If you want too see the full steps here they are: These are what I follow to a T when uploading. I gave the short hand above incase you are already aware of the issue.
Install Microsot Visual C++ viewer restributable. You need this specific version in order for OpenSSL to function properly.
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D -074B9F2BC1BF
**Download OpenSSL **http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe
install this using the system defaults.
**Browse to **C:\OopenSSL-Win32\bin
Right click on openssl.exe and choose Run As Administrator
Use Openssl to generate a private key by running the following commands
OpenSSL genrsa -out your.domain.com.key 2048
you will see
Loading ‘screen’ into random state - done
Generating RSA private key, 2048 bit long modulus
.+++
…+++
e is 65537 (0x10001)
at the next OpenSSL> prompt type enter this command
OpenSSL req -out your.domain.com.csr -key your.domain.com.key -new
you will see
Loading ‘screen’ into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:REQUIRED
State or Province Name (full name) [Some-State]:REQUIRED
Locality Name (eg, city) []:REQUIRED
Organization Name (eg, company) [Internet Widgits Pty Ltd]:REQUIRED
Organizational Unit Name (eg, section) []:REQUIRED
Common Name (e.g. server FQDN or YOUR name) []:**REQUIRED This should match your OpenFire server name
**
Email Address []:Leave Blank
LEAVE THE FOLLOWING BLANK
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After answering the questions above you will be brought back to the OpenSSL prompt
OpenSSL>
At this point you can close OpenSSL
You have now created a private key and a cert request that you can use to get a cert from GeoTrust. The key and the cert are located in C:\OpenSSL-Win32\bin
The files are
your.domain.com.key
your.domain.com.csr
Login to your GeoTrust account and ask for a new SSL Cert. I used the Quick SSL Premium, but the Quick SSL Basic will be fine if you dont need multiple domain support.
Copy the contents of the file
your.domain.com.csr
**into the field listed below
**
Certificate Signing Request (CSR) Information
Complete the cert request steps. Once you get your cert approved and you get the download link, Make sure you download the ZIP bundle.
Extract the files and use notepad++ to open the files
your_domain_com.txt
GeoTrust_CA_Bundle.txt
**Copy the contents of **your_domain_com.txt and paste into a new notepad++ file. Directly after your cert copy the contents of
GeoTrust_CA_Bundle.txt
The end file should look like.
**
**
-----BEGIN CERTIFICATE----- *Your certificate* —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8 KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE 60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1 SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB 2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/ ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM IIi0tWeUz12OYjf+xLQ= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26×1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S —–END CERTIFICATE—–
**Save this file as **Content of Certificate file.txt
Browse to the OpenFire Server Certificate Import Pagehttps://your.openfireserver.com:9091/import-certificate.jsp
**Copy the contents of **your.domain.com.key and paste into the Content of Private Key file: field
**Copy the contens of the **Content of Certificate file.txt **you created into the **Content of Certificate file: field
If you don’t include the intermediate cert data in the second field or the intermediate certs don’t match you’ll see errors such as “Incomplete certificate chain in reply”, “Failed to establish chain from reply” or “Certificate chain in reply does not verify: Signature does not match.”
If you see the message “invalid DER-encoded certificate data” then you most likely have an empty line between one or other of the certificate lines.
Once you get the Key was imported successfully message you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.
Log back in and browse to the Server Certificates page again, you will see two self-signed certs and a CA signed cert. You can remove both self signed certs by clicking the delete button to the far right. Once again you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.
Log back in and browse to the Server Certificates page again to verify your CA signed cert is the only one left.
That should be it. I have confirmed this works with Openfire 3.7.1 using Spark and webchat clients.
Let me know if you have any questions. Hopefully this will help someone save a week of headbanging and fustrations.