powered by Jive Software

Use StartSSL certificate generated from private key

I have a SSL certificate generated by StartSSL, however I cannot get openfire to accept my certificate!

I generated a OpenSSL private key, used that to generate a CSR and sent that to the guys at startssl.com. They issued me with a certificate (ssl.crt) and linked to their root (ca.pem) and intermediate (sub.class1.server.ca.pem) certificate.

I tried adding the ssl.crt and my private key to the page at http://server:9090/import-certificate.jsp, however I’m constantly encountering an error stating: “There was an error one importing private key and signed certificate.”

It used to state “Failed to establish chain from reply” but after attempting to store the ca.pem and sub.class1.server.ca.pem files in the truststore at /usr/share/resources/security/truststore (keytool -import -keystore truststore -alias securecert -file /home/username/keys/ca.pem for example), it’s shortened the error message tothe more generic message above.

I’m totally confused as to why this wouldn’t work, any ideas? Cheers…


Did you have any luck getting your StartSSL certificate to work in Openfire? What version of Openfire?

Nah, I’m still in the same place as when I started. I think I’ve ruined the keystore/truststore files, so am looking at a reinstall anyway. Will still need a hand though. Is there any step-by-step guides?

I’m on the 3.6.4 branch, but might try the latest 3.7.0 trunk when I reinstall. Just trying to get the debian package maker to behave under OSX!


This worked for me: http://forum.startcom.org/viewtopic.php?p=5814&sid=154fd2aed9609c4e6ba2c4598433d 8e5#p5814

StarCom wrote:

For OpenFire users on Unix/Linux, these are the instructions I spent about 5 hours trying to find out.
1 Open terminal.
2 Go into the root user. (sudo -s/su)
3 change your directory to /resources/security/ (cd /usr/local/openfire/resources/security/)
4 Download http://www.startssl.com/certs/ca.crt and http://www.startssl.com/certs/sub.class1.server.ca.crt and place them some were it is easy to access, I put mine in the root of my hard drive.
5 Run these commands in your terminal session


keytool -import -keystore truststore -trustcacerts -alias startcom.ca -file /ca.crt
keytool -import -keystore truststore -alias startcom.ca.sub -file /sub.class1.server.ca.crt

6 Restart your openfire server, on mac you go into the system preferences and choose the openfire panel.
7 Visit your servers control panel, http://localhost:9090/, and go into the server settings tab and the Server Certificates menu.
8 Delete the self signed certificates.
9 Click on the import link.
10 Place your key’s password, key, and certificate in the right fields and your done.

Note: it may say “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” Just ignore that, it’ll still work.

Hope this helps someone else, and also me when I need to go through this again.
Mr. Gecko.

There were a few additional things I had to do, however.

If you get an error between Steps 7 and 8, or 8 and 9, do the following:

  1. Log into your server
  2. Go to the Server Manager
  3. Go to Server Properties

Add the following:

  1. xmpp.socket.ssl.active
  2. true
  3. xmpp.socket.ssl.keypass
  4. changeit
  5. xmpp.socket.ssl.keystore
  6. resources/security/keystore
  7. xmpp.socket.ssl.port
  8. 5223
  9. xmpp.socket.ssl.storeType
  10. JKS

Once you add those, restart your server. Then go do steps 6+. Once it is able to locate the proper repository/permissions, it will allow you to delete the temp keys, and import your own.

DO NOT import the unencrypted key. Enter your passphrase that StarCom made you enter when encrypting your key. Then paste in the ENCRYPTED key, and your ssl.crt certificate. Once you do that, you can press submit, and all should be fine.

I am leaving this in case it is of value but first try the method in my reply to this post!

I have been having this same issue and it took me all day to finally get it working. I have a digicert wildcard certificate and it has been a huge pain to get it into Openfire. Even though this isn’t StartSSL specific you should be able to modify it to apply to you.

  1. Go the import page and bookmark the URL, the reason will be important later. In my case it was http://localhost:9090/import-certificate.jsp

  2. Drop to the command prompt and use keytool to import ALL the intermediate certificates in the chain needed to validate your certificate. In my case there was my certificate, 2 DigiCert certificates then an Entrust Root CA. I had to to import the two DigiCert ones into the keystore.

keytool -import -keystore keystore -alias digicert1 -file digicert1.cer

keytool -import -keystore keystore -alias digicert2 -file digicert2.cer

  1. Restart OpenFire so it will re-read your keystore

  2. Don’t try to go to the certificates page since it will just throw an error that one of the keys isn’t a private key. That is why you have to go to the bookmarked import page. Enter your passphrase, existing key and certificate. Mine were the text I used in an Apache install.

  3. If it didn’t work when you submit you should get the red text with the error like couldn’t verify the chain, bad passphrase, etc. If it did work then you will go back to the certificates page which has the private key error. No need to worry, you should see import=success in the URL.

  4. Now that it is there you can clean things up by going back to the command prompt and deleting the intermediate certificates and the default self-signed ones

keytool -delete -keystore keystore -alias digicert1

keytool -delete -keystore keystore -alias digicert2

keytool -delete -keystore keystore -alias domain.name_rsa

keytool -delete -keystore keystore -alias domain.name_dsa

  1. Restart Openfire again and now the certificates screen should work properly and you will see your CA signed cert.

Massive PITA but I finally got it working. Of course my client of choice is Pidgin which doesn’t use the system root CAs so even though I verified it was getting the correct cert it is still prompting the user to accept since because the stupid Digicert intermediate cert isn’t in Pidgin. I tried leaving the digicert certs in the keystore in the hopes that they would get passed down like my web servers do but it didn’t work.

Hopefully those of you who aren’t using pidgin or have the intermediate certs in your clients will find some value in this.

Message was edited by: Kelderek

Wouldn’t you know that I would find the EASY way to do it after I go through all that hassle then write it up for the forums. Here is the link so credit can be given where it is due:

The jist of it is that all you have to do is put the text of you intermediate certs in the cert import box along with the text of your cert. Doesn’t solve my pidgin issue but it makes the process SO much easier.

This didnt work.

Which keystore am i modifying? The one in /opt/openfire/resource/security/keystore?

Even though I add those in, it just gives me a bunch of errors.

I tackled this a while ago: http://community.igniterealtime.org/thread/46823

The instructions there will allow you to do exactly what you want.