powered by Jive Software

Using a PKCS#12 File as keystore?

Hi there,

is it possible to use a PKCS#12 File (exported from IIS7.5) as a keystore?

We have a wildcard certificate and I’m going insane with implementing valid SSL into openfire…

[my other thread]

Where do I have to set the value for the used keystore? Is there another setting to change?

In fact openfire uses tomcat I tried to add a connector into the openfire.xml because we did the same in JIRA (Atlassian).

Well, I added the following content inside the jive-tag, between and :

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
            maxHttpHeaderSize="8192" SSLEnabled="true"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
            enableLookups="false" disableUploadTimeout="true"
            acceptCount="100" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
            keystoreFile="C:\wildcard.seven2one.de.pfx" />

Experimenting with the port was not helpful. Some different ideas? It seems to me that the syntax is not correct (in comparison with the rest of the file).

There is a guide somewhere in this forum that explains how to build a JKS using the keytool command line utility. I was successful importing the key/cert for my own wildcard certificate, along with the CA chain required to support it.

I’ll try to dig it up, but I’m pretty sure you cant use PKCS12 as a keystore with openfire.

Tomorrow I’m going to have a look for that guide.

It’s pretty hard to find something documentations about the used tomcat version etc. online… but thanks for now!

Which was your issuer/ or private?

Do you think this will be solved? In any case it seems to be a problem of openfire itself - so right now it’s not supported, right?

Have a look at this case:


I’m trying to follow, but the bug report you posted has nothing to do with wildcard certs being used for clients.

I am using a wildcard cert in production for clients (issued by Verisign), and it works just fine. What exactly does not work, other than you wanting to use a pkcs12 keystore that isn’t supported anywhere?

I just don’t know how to make it work Using a pkcs12 was just an alternative idea that I had…

By the way… you’re may right but when I’m reading the thread which is attached to the bug report I can find the same error message which I recieve:

“supplied key (null) is not a RSAPrivateKey instance”

Probably yours is working as it’s from verisign?! Mine is only valid if the certification path is correct… means the following:

*.seven2one.de (our cert) > RapidSSL > GeoTrust

The knowledge base of rapidSSL is talking about several different certs… e.g. a primary and a secondary intermediate certificate (if your using a tomcat)… damn… it’s so confusing…

Thanks for your posts so far…


btw: There are other servers and services with that cert which are running problem-free!

1 Like

Did you find any resolution to this issue? I’ve got the same problem and it’s been very frustrating…

I don’t remember where this is from, but it worked for me:

After some trying it was easy to get openfire running with our official GoDaddy Wildcard SSL Certificate

Convert your key and cert to DER format (thanks to AgentBob http://www.agentbob.info/agentbob/79.html ):

  • openssl pkcs8 -topk8 -nocrypt -in lovelysystems.com.key -inform PEM -out lovelysystems.key.der -outform DER

  • openssl x509 -in _.lovelysystems.com.crt -inform PEM -out _.lovelysystems.com.crt.der -outform DER
    Get some java utilities to create a java key store (yes java still rosucks, thanks to AgentBob again)

  • ImportKey.java http://www.agentbob.info/agentbob/80.html , ImportKey.class http://www.agentbob.info/agentbob/81.html (Java 5) (local copy http://www.lovelysystems.com/wp-content/uploads/2007/05/importkey.zip )
    Create a new keystore (/root/keystore.ImportKey):

  • java ImportKey lovelysystems.com.key.der _.lovelysystems.com.crt.der
    change the keytool passwords back to the defaults (from ‘importkey’ to ‘changeit’)

  • keytool -storepasswd -keystore /root/keystore.ImportKey

  • keytool -keypasswd -alias importkey -keystore keystore.ImportKey
    Add the GoDaddy Intermediate Certificate:

  • wget –no-check-certificate https://certificates.godaddy.com/repository/sf_issuing.crt

  • keytool -import -alias intermed -file sf_issuing.crt -keystore /root/keystore -storepass changeit -trustcacerts
    Move it to openfire (probably back up the old first) and restart openfire

  • mv /root/keystore.ImportKey /opt/openfire/resources/security/keystore

  • /opt/openfire/bin/openfire stop

  • /opt/openfire/bin/openfire start

Thanks David. I’ve tried it. I’m just surprised about how difficult this is. I’ve been doing this kind of stuff for a long time and this is painful! :slight_smile:

I’ve got a wildcard SSL cert from godaddy. I’ve used all sorts of tools to do conversions of the cert/keys to the appropriate file types. Each “solution” is frought with problems and deadends.

How bad is it if I just leave the self-signed certs that were created during configuration? I mean… the goal is to encrypt communications between server and clients, right? Doesn’t that achieve the goal?