Hi there,
is it possible to use a PKCS#12 File (exported from IIS7.5) as a keystore?
We have a wildcard certificate and I’m going insane with implementing valid SSL into openfire…
[my other thread]
Where do I have to set the value for the used keystore? Is there another setting to change?
In fact openfire uses tomcat I tried to add a connector into the openfire.xml because we did the same in JIRA (Atlassian).
Well, I added the following content inside the jive-tag, between and :
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="pkcs12"
keystorePass="*x*x*x*"
keystoreFile="C:\wildcard.seven2one.de.pfx" />
Experimenting with the port was not helpful. Some different ideas? It seems to me that the syntax is not correct (in comparison with the rest of the file).
There is a guide somewhere in this forum that explains how to build a JKS using the keytool command line utility. I was successful importing the key/cert for my own wildcard certificate, along with the CA chain required to support it.
I’ll try to dig it up, but I’m pretty sure you cant use PKCS12 as a keystore with openfire.
Tomorrow I’m going to have a look for that guide.
It’s pretty hard to find something documentations about the used tomcat version etc. online… but thanks for now!
Which was your issuer/ or private?
Do you think this will be solved? In any case it seems to be a problem of openfire itself - so right now it’s not supported, right?
Have a look at this case:
OF-331
I’m trying to follow, but the bug report you posted has nothing to do with wildcard certs being used for clients.
I am using a wildcard cert in production for clients (issued by Verisign), and it works just fine. What exactly does not work, other than you wanting to use a pkcs12 keystore that isn’t supported anywhere?
I just don’t know how to make it work Using a pkcs12 was just an alternative idea that I had…
By the way… you’re may right but when I’m reading the thread which is attached to the bug report I can find the same error message which I recieve:
“supplied key (null) is not a RSAPrivateKey instance”
Probably yours is working as it’s from verisign?! Mine is only valid if the certification path is correct… means the following:
*.seven2one.de (our cert) > RapidSSL > GeoTrust
The knowledge base of rapidSSL is talking about several different certs… e.g. a primary and a secondary intermediate certificate (if your using a tomcat)… damn… it’s so confusing…
Thanks for your posts so far…
scorp
btw: There are other servers and services with that cert which are running problem-free!
Did you find any resolution to this issue? I’ve got the same problem and it’s been very frustrating…
I don’t remember where this is from, but it worked for me:
After some trying it was easy to get openfire running with our official GoDaddy Wildcard SSL Certificate
Convert your key and cert to DER format (thanks to AgentBob http://www.agentbob.info/agentbob/79.html ):
openssl pkcs8 -topk8 -nocrypt -in lovelysystems.com.key -inform PEM -out lovelysystems.key.der -outform DER
openssl x509 -in _.lovelysystems.com.crt -inform PEM -out _.lovelysystems.com.crt.der -outform DER
Get some java utilities to create a java key store (yes java still rosucks, thanks to AgentBob again)
ImportKey.java http://www.agentbob.info/agentbob/80.html , ImportKey.class http://www.agentbob.info/agentbob/81.html (Java 5) (local copy http://www.lovelysystems.com/wp-content/uploads/2007/05/importkey.zip )
Create a new keystore (/root/keystore.ImportKey):
java ImportKey lovelysystems.com.key.der _.lovelysystems.com.crt.der
change the keytool passwords back to the defaults (from ‘importkey’ to ‘changeit’)
keytool -storepasswd -keystore /root/keystore.ImportKey
keytool -keypasswd -alias importkey -keystore keystore.ImportKey
Add the GoDaddy Intermediate Certificate:
wget –no-check-certificate https://certificates.godaddy.com/repository/sf_issuing.crt
keytool -import -alias intermed -file sf_issuing.crt -keystore /root/keystore -storepass changeit -trustcacerts
Move it to openfire (probably back up the old first) and restart openfire
mv /root/keystore.ImportKey /opt/openfire/resources/security/keystore
/opt/openfire/bin/openfire stop
/opt/openfire/bin/openfire start
Thanks David. I’ve tried it. I’m just surprised about how difficult this is. I’ve been doing this kind of stuff for a long time and this is painful! 
I’ve got a wildcard SSL cert from godaddy. I’ve used all sorts of tools to do conversions of the cert/keys to the appropriate file types. Each “solution” is frought with problems and deadends.
How bad is it if I just leave the self-signed certs that were created during configuration? I mean… the goal is to encrypt communications between server and clients, right? Doesn’t that achieve the goal?