I have spent hours fighting with installing certificates into OpenFire - IT DOES NOT WORK! Does anyone have__ WORKING__ instructions for installing a CA certificate, and a key & cerificate into an OpenFire server? I’ve been over the OpenFire SSL guide and numerous other sites and I always end up with OpenFire clients complaining about a self-signed cert (of which there is none) or the &@^&$*&@ useless “supplied key (null) is not a RSAPrivateKey instance” error when I click on Server / Server Settings / Server Certificates.
The procedure I had the most confidence in, but** did not work**, was:
--- verify keystore is empty ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -list
--- import CA certificate ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -import -alias cacert -file /tmp/cacert.pem
--- Generate a key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -genkey -alias mormail-rsa -keyalg RSA
--- Export the key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -alias mormail-rsa -certreq -file mormail-rsa.csr
--- Move the CSR to the signing machine ---
tun # scp mormail-rsa.csr awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
---- Sign the cerification ----
$ openssl ca -policy policy_anything -days 730 -in mormail-rsa.csr -out mormail-rsa.cert
---- Convert to DER ----
$ openssl x509 -in mormail-rsa.cert -inform PEM -out mormail-rsa.cert.der -outform DER
---- Move the certificate back to the openfire server ----
$ scp mormail-rsa.cert.der root@tun.mormail.com:/tmp
---- Import the certificate ---
tun # /gre/bin/keytool -import -keystore ./resources/security/keystore \
-alias mormail-rsa -file /tmp/mormail-rsa.cert.der \
-keyalg RSA
And I'm right back to the &*@^*&$*&@ "supplied key (null) is not a RSAPrivateKey instance" error message.
The server name in the “Server Information” page does not feature the yellow explamation point. I’ve also tried adding the cacert.pem to the truststore.
I followed these instructions and it partially worked for me. The website certificate for SSL works fine, no issues, using our local CA in the truststore, the website does not say it has a bad certificate. However the clients when connecting, you have to click accept once and you’ll good to go.I hope this helps.
dumb question, have you tried setting up connectivity over port 5222 instead of the “old” SSL port of 5223? IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.
This is a complete shot in the dark - the only other thing I can think of is that you may not have all the root certs installed in your cert path. I know our godaddy certs required the installation of their root cert before our path was complete. When I test our self signed cert, I receive return code 18 indicating it’s self signed but nothing about the certification path being invalid…just a though.
BTW, this is all based on testing on CentOS 5.2 - YMMV.
dumb question, have you tried setting up connectivity over port 5222 instead of the “old” SSL port of 5223? IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.
Yes, clients are using TLS. But I use the openssl command to test to see if there are any actual SSL errors, to do that I use the “old” SSL port as the openssl s_client can only test TLS for IMAP & SMTP, not for XMPP.
When I test our self signed cert, I receive return code 18 indicating it’s self signed but nothing about the certification path being invalid
Yea, SSL errors have habitually unhelpful, even misleading, error messages. I’d suspect the CA cert wasn’t in my cert path, but I don’t have to specify a CAfile or CApath for openssl s_client to not have an error. Which doesn’t make sense.
BTW, this is all based on testing on CentOS 5.2 - YMMV.
Same here, possibly a bit newer. But OpenFire is pretty self-contained either way.
However the clients when connecting, you have to click accept once and you’ll good to go.
I’d interpret this as it-did-not-work. If the client trust the certificate why would it prompt to accept it? That is the same as if using a self-signed certificate.
Did you solve this? I am having the same problem and know in the past had the same headache but somehow, somehow got it to work. Now my certificate has expired and I am back having struggles.
I am having the exact same issue. I have gone through, and tried all the suggestions in the various posts in Openfire Support. Still no luck. Using keytool, I am able to list/delete/import certs in my keystore. But when I click on “Server Certificates” using the browser UI, I get the following java exception:
java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
Has anyone found a solution for this? Does anyone know the cause for this error?
Any help/guidance appreciated.
Bal
Me too. I’m looking at server-to-server connections though.
Viewing the Server Certificates page in the admin consoles shows that I have a “CA Signed RSA” and a “CA Signed DSA” certificate.
The log files show the TLS connection is established, but no authentication mechanism is offered.
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to :5269 successful
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with was successful
2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by
Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don’t import the CA certificate in my keystore (it is in my truststore, didn’t think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the “Server Certificates” page in the admin console as I get a java exception.
Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it’s a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.
I’m not sure i have understood all the technical stuff, but i will try to file John’s message as a bug report. OF-331. It will be pushed to 3.6.6, as we want to finalize 3.6.5 sooner.
With a small modification to the check for a self signed local certificate in method SASLAuthentication.getSASLMechanisms, I have this working.
The call to session.getConnection().getLocalCertificates() returns the certificate chain used in the TLS handshake. The return value is an ordered array with the local certificate first, followed by the certificate authorities (see javax.net.ssl.SSLSession.getLocalCertificates). Instead of iterating of the entire array, just check the first certificate to see if it’s self signed or not.
I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.