Many years ago when I started adding certificates management to Openfire I couldn’t stop thinking how complex the certificate management topic was. Moreover, I thought that the lack of information regarding certificates management was on purpose as a way to keep them “secure”.
Even though I do not consider myself an expert in security and certificates in particular, I think I finally understood the different ways certificates can be created, signed by Certificate Authorities (CA) and finally be imported into your application. Basically there are two ways for this to be achieved and fortunately the XMPP Federation through its CA services supports both of them.
Create your certificate and ask a CA to sign it
In this case you will create a certificate from the admin console of Openfire and then ask Openfire to create a Certificate Signing Request (CSR) that is sent to the CA. The Certificate Authorities (CA) usually has a web site that you can use to paste the CSR. If you are using the XMPP Federation services, choose the menu option Server Certificate (Without CSR generation). After the CA verified the certificate data and the data of the certificate issuer you will get a signed certificate that you will need to import into Openfire from the admin console.
The CA creates a certificate for you and signs it
In this case almost the entire process happens in the CA web site and administrators will need to import the signed certificated into Openfire. If you are using the XMPP Federation services, choose the menu option Server Certificate (With CSR generation) and then provide a pass phrase to create the certificate and its private key. After the data was validated you will receive a signed certificate. The last step to import the new certificate into Openfire is to paste the pass phrase, private key and signed certificate in the import certificate page in Openfire and voila.
As of Openfire 3.4.2 you will be able to choose the certificate management option that best fits you and follow the entire process from the admin console. You will be able to say bye bye to the cumbersome command line tools. If you are using Openfire 3.4.1 or older then only the first option is supported.