Trouble installing SSL cert

Sam_Curren · July 18, 2007, 3:57pm

I’'ve been trying to install an SSL cert from GoDaddy into OpenFire.

First, I used the Server Certificates option, filled out the issuer information, and used the CSR to get a certificate from GoDaddy. When I paste the resulting certificate into the Reply box of the form, I get this error:

An error occured while importing the Certificate Authority reply. Verify that the reply is correct and that it belongs to the correct certificate.

A customer chat pointed me to a page of instructions (http://wiki.igniterealtime.org/display/WILDFIRE/CertificatesinWildfire), which include the mysterious import-certificate.jsp tool for use in importing certificates. When I try that method, I get the following error:

There was an error one importing private key and signed certificate. Error message: org.bouncycastle.jce.PKCS10CertificationRequest cannot be cast to java.security.KeyPair

So… still no SSL cert, and not very useful error messages.

I’'ve found two posts in the forums related to this issue, and neither one has been answered.

How can I get some actually useful instructions for this process?
gateway.jar (1177558 Bytes)

Martin_Weusten · July 27, 2007, 1:37pm

maybe this thread will help you:

http://www.igniterealtime.org/forum/thread.jspa?threadID=26281

Sam_Curren · July 27, 2007, 5:03pm

That post doesn’'t help at all. I was told on the phone that one of our core engineers had been called in to work on my problem, and the best he can come up with is a link to another thread in the forum that I have previously read?

Let me be pretty clear on what the problem is:

We purchased OpenFire Enterprise so that we could use it’'s customer chat features on our website. We have previously used OpenFire as just an IM system, and it works very well. Our website has an online store, and we have an SSL certificate on portions of the website. Any worthwhile online vendor has this same situation. If we install the webchat code into our website with no ssl certificate installed, IE flashes a warning. if we install the webchat code into our website with a self-signed certificate, IE flashes a warning.

Warnings make customers nervous, even if there really is no threat.

Therefore: We must use a certificate provided by a 3rd party issuer, such as verisign or godaddy.

Unless we can do this, then the software we purchased from you is completely worthless, and we will be forced to seek a solution from a different vendor.

If the steps to install such a certificate are complicated enough to involve writing and compiling a java class just to install a certificate, then you clearly need to re-evaluate how your software runs.

It’'s one thing to have slightly difficult to use software and back it up with great support. It is quite another to do as you have done, and sell difficult software with lousy documentation, and then provide absolutely no support at all, despite the fact that we have been promised rapid responses in the forums with our purchase.

If you think this is good customer service, think again. Go purchase yourself a 3rd party certificate and install it into your product in a test environment, and post the instructions online. Since this is an action that many of your enterprise customers will want, don’‘t you think it’'s worth the time and energy?

Now, I’‘d really like a response to the questions and suggestions I’‘ve raised here. (Although frankly, I don’'t expect any answer at all, given my previous experiences.)

scarr4 · July 27, 2007, 9:08pm

hmmmm, coolcat is not an engineer for Openfire so I’'m not sure why you are jumping all over him.

Nate_Putnam1 · July 27, 2007, 9:37pm

We bought a godaddy cert and are testing this out. I’'ll update the thread later with the outcome.

Cheers,

Nate

Nate_Putnam1 · July 27, 2007, 10:51pm

Alright. I got this to work and it seemed pretty straight forward. There are a couple things to watch out for.

Your server name is the same domain name that you are getting the cert for.
That the godaddy intermediate cert is in your truststore.

Here is what I did to get my cert signed.

Added the godaddy intermediate cert to the truststore. I can send you the trust that I’‘m using so you don’'t have to do this. (email me at support at jivesoftware.com)
Restarted teh server
Edit the default self signed cert with my info.
Submitted the RSA key to godaddy to be signed.
Pasted response into the RSA dialog.
Saved.

Here is how I imported the ca into the truststore. This assumes you have keytool in your path. You can download the godaddy ca from : https://certificates.godaddy.com/repository/gd_intermediate.crt

keytool -import -keystore openfire\resources\security\truststore -alias godad -file

Sam_Curren · July 30, 2007, 3:42pm

Thanks for the response!

(coolcat - I can’‘t tell in the forums who is an engineer and who isn’'t… so my apologies. I had incorrectly assumed that you were working for the company. I did spend quite some time on your posts prior to starting this thread.)

The instructions given were both clear and direct. I was able to follow them easily, and everything appears to be working…

On my own, I had nearly blundered into the correct solution. I had some trouble importing the intermediate cert to the keystore (something about a name already being in use), but your instructions got me past that snag.

Thank you for the help! With a little further testing, We can now deploy our customer chat solution.

-Sam

Ross_Brouse · August 2, 2007, 2:12pm

I spent a ton of time figuring this out earlier this year. If the previous solutions don’'t work for some reason, give this one a try:

http://www.igniterealtime.org/forum/thread.jspa?messageID=142468&#142468