powered by Jive Software

Windows CA Signing issues - read every thread I could find, still no luck

I’ve been using JiveServer/Wildfire/Openfire in my organization since 2.2.0 and now am running 3.4.5, I want to secure things a bit better than using the standard certs to negotiate a TLS connection. We have a Windows Enterprise Root CA in our org and I’ve had nothing but issues getting the certificate options working properly. I’ve genreated self signed certs for CSR from Openfire and have signed them with our CA using the web interface, they import correctly (or so the green message says in the certificate window) for both RSA and DSA, but the cert requests never complete! I’ve also taken the main cert on the CA, exported, used OpenSSL to get the RSA and cert info and importing into Openfire which ends up generating a new cert request that appears it wants me to have signed, but erros out when signing.

What am I doing wrong, is there a config missing on my CA?? I didnt configure it and the person who did is gone. I am by no means an expert in certs, but any help with a Windows Enterprise Root CA would be helpful.

Thanks!

Hey Purist,

I never used a Windows Enterprise Root CA but still I’m confused from your post.

Purist wrote:

I’ve been using JiveServer/Wildfire/Openfire in my organization since 2.2.0 and now am running 3.4.5, I want to secure things a bit better than using the standard certs to negotiate a TLS connection. We have a Windows Enterprise Root CA in our org and I’ve had nothing but issues getting the certificate options working properly. I’ve genreated self signed certs for CSR from Openfire and have signed them with our CA using the web interface, they import correctly (or so the green message says in the certificate window) for both RSA and DSA,

Ok. So you were able to generate a self-signed certificate, create a signing request, send it to the CA, the CA signed the request and gave you a new signed cert and you were able to import it.

but the cert requests never complete!

No I’m confused. What is not completed? BTW, have you checked if there are any errors in the log files?

I’ve also taken the main cert on the CA, exported, used OpenSSL to get the RSA and cert info and importing into Openfire which ends up generating a new cert request that appears it wants me to have signed, but erros out when signing.

Are you referring to the root certificate of the CA? If you do then you don’t need to follow the process you described to import it into Openfire. Root certificates (i.e. certificates that you trust) should be imported from the command line (not the admin console) using a syntax like the following:

cd [openfire home]/resources/security

keytool -import -keystore truststore -file root.crt -alias mycaroot

Remember to check the log files for errors.

Regards,

– Gato

Gato,

Ok. So you were able to generate a self-signed certificate, create a signing request, send it to the CA, the CA signed the request and gave you a new signed cert and you were able to import it.

  • I assume when you import the signed requests into Openfire (in the CA reply box) the signing request should go away and the and the existing CSR should no longer say ‘Pending Verification’, is that correct?

Are you referring to the root certificate of the CA? If you do then you don’t need to follow the process you described to import it into Openfire. Root certificates (i.e. certificates that you trust) should be imported from the command line (not the admin console) using a syntax like the following:

cd /resources/security

keytool -import -keystore truststore -file root.crt -alias mycaroot

Remember to check the log files for errors.

  • I admit, I’m guilty, havent checked the logs yet. Based on this blog you posted it looked like there’s no command line interface required for the keytool anymore:

http://www.igniterealtime.org/community/blogs/ignite/2007/11/30/your-certificate -survival-kit

So just a recap, I’ve tried this two different ways, doing self-signed certs submitted for CSR, submitted the CA reply for both RSA and DSA but still receiving ‘Validation Pending’. I also attemtped to imprt the root cert by exporting to pxf and using OpenSSL to decrypt and import. You’re saying I should be using the keytool.

Does this clarify things?

Thanks!

FYI, I just ran the keytool command to import the root cert to the keystore and was successful, but the server cert page in the admin console has no knowledge of any certs. (I deleted the previtous self-signed cert CSR’s before runing the keytool command).

I figured out the issue, my xmpp.domain wast incorrect causing the certs to be generated incorrectly and hence signed wrong.