XMPP Federation SSL certificates?

Does anyone have a checklist or HOWTO to use XMPP Federation certificates with Wildfire?

I’‘m a noob to SSL (in general) … and I’‘m a bit confused at the two CSR’'s that Wildfire generates when I create self signed certs. Which one of those am I supposed to submit to the CA for signing?

I tried using the XMPP Federation’‘s “No CSR” option, and the import-certificate.jsp page I saw in another thread, but Wildfire didn’'t seem to like the certificate.




I understand your confusion! I don’'t think StartCom is accepting the certificates from Wildfire at the moment and the reason is not clear. See some discussion here


I think your best bet is probably to take the No CSR option and load the keys into Wildfire. It worked for me. However, this will only generate the RSA key. The DSA key is not produced in this process. At the moment a CA signed RSA key certificate and a self-signed DSA key certificate.

The steps I used were as follows:

  1. Generate key and certificate from XMPP federation saving the key and the certificate to local files as you proceed through the process. Name them ssl.key and ssl.crt (for the sake of this process). Follow the instructions on data entry very carefully.

You will now have a secret key encrypted under AES and a certificate. You need to decrypt the key before it can be loaded into Wildfire. I used openSSL for this.

  1. Download openSSL if you don’'t have it. Execute this command from the command line

“openssl rsa -in ssl.key -out decryptedssl.key”

  1. Make sure you have the new truststore with the StartCom certificates - download it from here http://wiki.igniterealtime.org/download/attachments/155/truststore?version=1

  2. If you have previously added certificates to the trustore that you want then you should copy your current truststore to truststore.old (or whatever you want to call it). Copy in the new truststore and then add in your certificates to the new truststore.

  3. If you have changed the password on the truststore from the default of “changit” then you need to either change the password of the new truststore to your password or revert the “xmpp.socket.ssl.trustpass” property to “changeit”.

  4. Copy the current keystore in case everything goes wrong and you need to restore it

  5. Restart the Wildfire service/daemon

  6. Login to Wildfire Admin with your browser

  7. Manually go to the following url: http://yourdomain:9090/import-certificate.jsp

  8. Copy and paste in your decrypted private key (in “decryptedssl.key”) and your signed certificate into the appropriate fields in the browser page.

The key and the certificate should be loaded. If you get an error “Failed to establish chain from reply” then there is likely to be a problem with the right certificates not being in your truststore.

  1. You can now delete the self-signed RSA key if you have one.

I think these are all the steps. I spent a lot of time messing about with this and some things were done in a different order because the new import page didn’'t exist. However, I think I have captured all the important steps.

I hope this helps.



Thanks for your HowTo.

Sounds very complicated at the moment.

Great HOWTO David.

If you’'re installing your XMPP Certificate in a brand new installation of Wildfire 3.2.2, then you only need to do the following:

  1. Decrypt the AES encrypted ssl.key using the following command:

openssl rsa -in ssl.key -out decryptedssl.key

(If you’'re running Windows, you can get Win32 Binaries for OpenSSL here: http://www.slproweb.com/products/Win32OpenSSL.html)

  1. Goto the webpage: http://yourdomain:9090/import-certificate.jsp

  2. Copy and paste the contents of decryptedssl.key into the “Content of Private Key file” field and the contents of the ssl.crt into the “Content of Certificate file” field and click the Save button.

If you’‘re upgrading your Wildfire for 3.2.0 or below then you’‘ll need to follow David’'s detailed steps because the truststore file has been updated to include the StartCom CA certificate which is required to validate the XMPP Federation issued certificate.

Have a go and if you have problems post a message here and there are at least 3 people who’'ll be able to help

I did what stuartbain suggested on a brand new 3.3.2 install.

It all seemed to work, but I am still not sure what to do about DSA.

As rectorydp mentioned, getting the XMPP cert without sending your own CSR, you only get an RSA cert. Should I run an XMPP Federation signed RSA cert alongside a self-signed DSA cert ?

You can’'t use openssl command line to somehow make a DSA cert from your RSA cert, right ?

Another observation is that once I imported the signed RSA certificate without any errors, and told Openfire to make encryption mandatory on server 2 server traffic, no external servers connected to my server anymore.

Not even jabber.org, who no doubt trust the startcom CA and have it installed.

Edit: With the signed RSA cert installed, my SRV records up to scratch and s2s set to require encryption, s2s traffic with jabber.org.au and jabber.org fail. In the debug.log I find the following over and over, once for each connection attempt:

2007.07.28 20:34:57 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2007.07.28 20:34:57 OS - Plain connection to jabber.org:5269 successful

2007.07.28 20:34:57 OS - Indicating we want TLS to jabber.org

2007.07.28 20:34:57 OS - Negotiating TLS with jabber.org

2007.07.28 20:34:58 OS - TLS negotiation with jabber.org was successful

2007.07.28 20:34:58 OS - Error, no SASL mechanisms were offered by jabber.org

2007.07.28 20:34:58 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2007.07.28 20:34:58 OS - Plain connection to jabber.org:5269 successful

2007.07.28 20:34:58 OS - Indicating we want TLS to jabber.org

2007.07.28 20:34:58 OS - Negotiating TLS with jabber.org

2007.07.28 20:34:59 OS - TLS negotiation with jabber.org was successful

2007.07.28 20:34:59 OS - Error, no SASL mechanisms were offered by jabber.org

Message was edited by: centrex