powered by Jive Software

SSL Upload bug in 3.93 (tested and confirmed)

Please fix asap: Can’t really use openfire without TLS and SSL!

Using the below steps in 3.91 I’m able to sucessfuly upload my signed certificate but on 3.93 I cant!!!

  1. Login into my openfire server

  2. go to server —> server settings —> server certificates

  3. click “import”

  4. I upload my private key in pem format into “Content of Private Key file:”

  5. Then I upload my public key followed by my certificate chain into the “Content of Certificate file:”

  6. Then it takes the certifcate on 3.91 but on 3.93 it says “problem with private key”

How I confirmed.

  1. did fresh installs of both 3.93 and 3.91 and tested the same public/private key combo that I had stored on my server and the upload only worked in 3.91

Developers: If you want too see the full steps here they are: These are what I follow to a T when uploading. I gave the short hand above incase you are already aware of the issue.

Install Microsot Visual C++ viewer restributable. You need this specific version in order for OpenSSL to function properly.

http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D -074B9F2BC1BF

**Download OpenSSL **http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe

install this using the system defaults.

**Browse to **C:\OopenSSL-Win32\bin

Right click on openssl.exe and choose Run As Administrator

Use Openssl to generate a private key by running the following commands

OpenSSL genrsa -out your.domain.com.key 2048

you will see

Loading ‘screen’ into random state - done

Generating RSA private key, 2048 bit long modulus

.+++

…+++

e is 65537 (0x10001)

at the next OpenSSL> prompt type enter this command

OpenSSL req -out your.domain.com.csr -key your.domain.com.key -new

you will see

Loading ‘screen’ into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.


Country Name (2 letter code) [AU]:REQUIRED

State or Province Name (full name) [Some-State]:REQUIRED

Locality Name (eg, city) []:REQUIRED

Organization Name (eg, company) [Internet Widgits Pty Ltd]:REQUIRED

Organizational Unit Name (eg, section) []:REQUIRED

Common Name (e.g. server FQDN or YOUR name) []:**REQUIRED This should match your OpenFire server name
**

Email Address []:Leave Blank

LEAVE THE FOLLOWING BLANK

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

After answering the questions above you will be brought back to the OpenSSL prompt

OpenSSL>

At this point you can close OpenSSL

You have now created a private key and a cert request that you can use to get a cert from GeoTrust. The key and the cert are located in C:\OpenSSL-Win32\bin

The files are

your.domain.com.key

your.domain.com.csr

Login to your GeoTrust account and ask for a new SSL Cert. I used the Quick SSL Premium, but the Quick SSL Basic will be fine if you dont need multiple domain support.

Copy the contents of the file

your.domain.com.csr

**into the field listed below
**

Certificate Signing Request (CSR) Information

Complete the cert request steps. Once you get your cert approved and you get the download link, Make sure you download the ZIP bundle.

Extract the files and use notepad++ to open the files

your_domain_com.txt

GeoTrust_CA_Bundle.txt

**Copy the contents of **your_domain_com.txt and paste into a new notepad++ file. Directly after your cert copy the contents of

GeoTrust_CA_Bundle.txt

The end file should look like.

**
**

-----BEGIN CERTIFICATE----- *Your certificate* —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8 KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE 60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1 SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB 2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/ ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM IIi0tWeUz12OYjf+xLQ= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26×1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S —–END CERTIFICATE—–

**Save this file as **Content of Certificate file.txt

Browse to the OpenFire Server Certificate Import Pagehttps://your.openfireserver.com:9091/import-certificate.jsp

**Copy the contents of **your.domain.com.key and paste into the Content of Private Key file: field

**Copy the contens of the **Content of Certificate file.txt **you created into the **Content of Certificate file: field

If you don’t include the intermediate cert data in the second field or the intermediate certs don’t match you’ll see errors such as “Incomplete certificate chain in reply”, “Failed to establish chain from reply” or “Certificate chain in reply does not verify: Signature does not match.”

If you see the message “invalid DER-encoded certificate data” then you most likely have an empty line between one or other of the certificate lines.

Once you get the Key was imported successfully message you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.

Log back in and browse to the Server Certificates page again, you will see two self-signed certs and a CA signed cert. You can remove both self signed certs by clicking the delete button to the far right. Once again you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.

Log back in and browse to the Server Certificates page again to verify your CA signed cert is the only one left.

That should be it. I have confirmed this works with Openfire 3.7.1 using Spark and webchat clients.

Let me know if you have any questions. Hopefully this will help someone save a week of headbanging and fustrations.