here’'s how to do it.
hm, this didn’'t worked for me.
But I found another way:
I will describe here exactly what I have done. Maybe there is a better way and not every detail here is important. Use this guide at your own risk.
Requirements
-
Openfire has to run with Java 1.6 and you have to use the Java 1.6 keytool. I used an JDK 1.6.0_02 from Sun. According to this site an older keytool can not import third party signed certificates correctly.
-
Certificate (jabber-signed.pem) and Key (jabber-private.pem) in PEM format.
-
Certificate chain in PEM format. I got two certificates: DFN-CA (dfn-ca.pem) and RWTH-CA (rwth-ca.pem).
-
ImportKey.java from Import private key and certificate into Java Key Store (JKS)
Step by Step
Make a backup form your keystore and truststore files. Make a second copy to work with. (Don’'t work on a running system…) You will find both files in /opt/openfire/resources/security.
Import your certificate chain from top to bottom into your existing truststore:
keytool -importcert -alias dfn-ca -keystore truststore -file dfn-ca.pem
keytool -importcert -alias rwth-ca -keystore truststore -file rwth-ca.pem
convert your key and certificate into DER-Format:
openssl pkcs8 -topk8 -nocrypt -in jabber-private.pem -inform PEM -out jabber-private.der -outform DER
openssl x509 -in jabber-signed.pem -inform PEM -out jabber-signed.der -outform DER
modify ImportKey.java according to following diff-output. This is a program from an untrusted source which works directly with your private key, you should check exactly what it does…use at your own risk.
[coolcat@sempron2800 KeyStore]$ diff ImportKey.java ImportKey_original.java
87c87
< String keypass = "changeit";
---
> String keypass = "importkey";
90c90
< String defaultalias = "private-key";
---
> String defaultalias = "importkey";
93c93,99
< String keystorename = "keystore";
---
> String keystorename = System.getProperty("keystore");
>
> if (keystorename == null)
> keystorename = System.getProperty("user.home")+
> System.getProperty("file.separator")+
> "keystore.ImportKey"; // especially this ;-)
> compile the class with java 1.6:
javac ImportKey.java
create a *new keystore file* in current working directory, which contains your private key:
java ImportKey jabber-private.der jabber-signed.der
copy keystore and truststore file back to +/opt/openfire/resources/security+ and restart your openfire server. On +Server Certificates+ page in adminconsole the new key is shown as +Pending Verification+, so I tried to import my certificate into the truststore, but this seems not to change anything.
keytool -importcert -alias jabber-cert -keystore truststore -file jabber-signed-short.pem
+jabber-signed-short.pem+ is the plain certificate, just this part:
–-BEGIN CERTIFICATE—
/* … */
END CERTIFICATE-----
Finally I ignored the Pending Verification, because it worked.
Additionally Server Certificates page says something like “One or more certificates are missing. Click here to generate self-signed certificates.”, i I ignored it, too.
I will get an email when someone answers on this thread, so ask your questions here, also if this thread grows older. I hope this will help someone.
Coolcat
Message was edited by: Coolcat