Greatings All,
Firstly, although Iām new on this site Iāve been using variants of this product since 2006 (wildfire on UNIX). So Iām fairly familiar with this thing although still not an expert.
Secondly, configuring self signed SSL certificates on Openfire has been a bit of a learning curve and it took me a while to work out how to do it following what seemed like a gazillion guides from a multitude of sources. (Get to the point dude).
Thirdly, Iām not teaching anyone how to suck eggs with the following guidelines, but keeping it stupid/simple works for me.
So how did we achieve this.
Assumptions:
-
You have a MS CA on 2K8 R2 SP1 installed within your domain that has AD certificate services, web services and obviously IIS configured correctly. The CA has issued a root certificate into AD and CRLās are configured accordingly through the default domain GP.
-
The server hosting Openfire is MS 2K8 R2 SP1 with firewall ports configured correctly.
Openfire Server
- I had to install the following software:
a. jre-7u45-windows-i586.exe from Here.
b. jdk-7u45-windows-x64.exe from also from the above link.
c. UnlimitedJCEPolicyJDK7.zip from Here.
d. vcredist_x64.exe from Here (needed for OpenSSL x64).
e. Win64OpenSSL-1_0_1e.exe from Here
-
Stop the Openfire Service.
-
Add a JAVA_HOME enviromental variable as
āC:\Program Files\Java\jdk1.7.0_45\binā, also add this to the Path under system variables. (Donāt forget the semi colon).
-
Additonally, add the OpenSSL Path as C:\OpenSSL-Win64\bin.
-
Backup the Keytool.exe from the C:\Program Files (x86)\Java\jre7\bin directory and replace it with the one from JDK\bin.
-
Unzip and Extract the 2 library files, backup and replace the existing library files from C:\Program Files (x86)\Java\jre7\lib\security, with the 2 from the zip file.
-
Copy the whole JRE7 folder and paste it into the Openfire directory. Delete the old jre and rename the JRE7 to jre.
-
Export your trusted rootCA certificate from IE as a based-64 encoded (CER) and save it to C:\Program Files (x86\Openfire\Resources\Security.
-
Open up a DOS prompt and cd to C:\Program Files (x86)\Openfire\Resources\Security
-
Run the following keytool command:
keytool -import -keystore truststore -alias āSuitable-Nameā -file āYour root CA.cerā
Type in āchangeitā when prompted or your current truststore password.
-
Start the Openfire Service.
-
Login to Openfire and navigate to the Certificates Page under Server Settings. Youāll see 2 self signed certificates for RSA and DSA with your server hostname.
-
Click on the hyperlink under Signing Request and fill in the information for your CA (you can get this from the root certificate you saved earlier). Make sure the name of your CA matches exactly whats on the root CA Cert. Save and restart Openfire.
-
Log back in and again navigate to the certificates page. Under signing request select all the text in the RSA window and save it to notepad. name the file ārsa.csrā (you will have to uncheck hide extensions for known file types and rename it removing the .txt at the end of the file).
-
Repeat the process for the DSA window and name it dsa.csr. Save the files to extenal media or across the network to a shared network folder.
Certificate Authority Server
You will have to duplicate 2 certificate templates based on the standard web server template in cert tools mmc for 2K8 Enterprise. Its entirely up to you as to the validity duration and renwal period, but 2 years and 6 months works for me. Ensure you add your Openfire server to the list of Users/Groups allocating full control. Save each template as OFRSA and OFDSA or something suitable.
The standard web certificate has RSA 2048 cryptography applied, so this will need to change for the DSA certificate to match that level of cryptography or it will error out later on. Change the purpose of the DSA certificate to signature and accept the warning message. Then change the cyptography to DSA and 256 bit as a minimum.
-
Create a folder on the C: drive and call it Requests. Copy the 2 CSRās into it.
-
Open up a DOS prompt as administrator and type in the following:
certreq -submit -attrib ācertificatetemplate:OFRSAā c:\requests\rsa.csr
-
After a brief period a āCertification Authority listā box will pop up. Select your root CA and click ok. Then save your certificate as X.509 CER certificate. I called mine rsa.cer and saved it in the requests folder.
-
Repeat the process for the DSA certificate and save it as dsa.cer.
certreq -submit -attrib ācertificatetemplate:OFDSAā c:\requests\dsa.csr
- Copy the 2 files back over to the Openfire Server. Create another folder called Certs in the C: drive and drop them in to it.
Openfire Server
Hope your all still with me!!!
- On the Openfire server open and DOS prompt as Administrator and type in the following:
openssl x509 -in c:\certs\rsa.cer -out c:\certs\rsa.pem
repeat for the DSA certificate
openssl x509 -in c:\certs\dsa.cer -out c:\certs\dsa.pem
- Open up explorer and navigate to the Certs folder, open up the rsa.pem file with notepad, copy and paste the output
-----BEGIN CERTIFICATE----- output of response -----END CERTIFICATE-----
into the RSA window on openfire. Repeat for the DSA Certificate.
- Ensure you amend the security settings with Openfire to required for both the client and server connections and restart Openfire.
Finally, hopefully you should have working CA approved self signed certificates. As a note if you notice in the logs that Openfire starts unencrypted for both 5269 and 5222 - apparently this is completely normal behaviour and TLS will kick in when called upon.
Regards and apologies for the long winded approach.