Up to Discussions in Openfire Support
7 Replies Last post: Oct 27, 2007 7:24 AM by Attila  
Coolcat KeyContributor
Coolcat
727 posts since
Mar 19, 2007
Currently Being Moderated

May 2, 2007 4:14 PM

Import SSL Key and Certificate

Hi,

I got an SSL Key and Certificate from my CA. I have some problems to import them into Openfire 3.3.0.

 

I got both files in PEM-Format. Because Openfire says there are in bad format, I use only this parts:

---BEGIN RSA PRIVATE KEY---

....blabla...

---END RSA PRIVATE KEY---

 

---BEGIN CERTIFICATE---

....blabla...

---END CERTIFICATE---

 

I tried the hidden page, mentioned here, to import the files.

https://my-jabber-server.com:9091/import-certificate.jsp

But I get the following:

There was an error one importing private key and signed certificate. Error message: Failed to establish chain from reply

The I tried to import the PEM-Cert form my CA with Java-Keytool:

cd openfire/resources/security

keytool -import -v -trustcacerts -file cert-from-ca.pem -keystore truststore

but this doesn''t help.

 

My CA (my university) is not NOT a Top-Level-CA itself. The certificate chain ends at DFN Top Level CA, which is NOT trusted by any of "default" Top-Level-CAs. Maybe this is the problem...

 

Any ideas?

 

thanks in advance,

Coolcat

 

Message was edited by: Coolcat

Bronze
Martin Marcher
4 posts since
Jun 20, 2007
Currently Being Moderated
Jul 12, 2007 2:00 AM in response to: Coolcat
Re: Import SSL Key and Certificate

I had exactly the same problem,

 

here''s how to do it.

 

get the root CA certificate from your CA (your university in that case)

 

use keytool to import it into $OPENFIRE_HOME/resources/security/truststore

 

then take you''re rsa key and certificate to the import-certificate.jsp page and import them.

 

i still have a message that a certificate is missing but I think that should be solveable....

 

 

hope that helps

Report Abuse
Coolcat KeyContributor
Coolcat
727 posts since
Mar 19, 2007
Currently Being Moderated
Jul 12, 2007 2:31 AM in response to: Martin Marcher
Re: Import SSL Key and Certificate

thanks, I will try it on sunday or so...

Report Abuse
Bronze
Martin Marcher
4 posts since
Jun 20, 2007
Currently Being Moderated
Jul 12, 2007 2:49 AM in response to: Coolcat
Re: Import SSL Key and Certificate

if you care to find out,

 

i don''t get why i need a *.example.com certificate for the server. my server is jabber.example.com and imho that should be the only entrypoint to the jabber service. all other things are

 

a) either discovered via dns or

b) iirc wrapped in xml request (e.g. broadcast.openforce.com doesn''t exist it just describes the service)

Report Abuse
Coolcat KeyContributor
Coolcat
727 posts since
Mar 19, 2007
Currently Being Moderated
Jul 21, 2007 7:54 AM in response to: Martin Marcher
Re: Import SSL Key and Certificate

here''s how to do it.

hm, this didn''t worked for me.

 

But I found another way:

I will describe here exactly what I have done. Maybe there is a better way and not every detail here is important. Use this guide at your own risk.

 

Requirements

  • Openfire has to run with Java 1.6 and you have to use the Java 1.6 keytool. I used an JDK 1.6.0_02 from Sun. According to this site an older keytool can not import third party signed certificates correctly.

  • Certificate (jabber-signed.pem) and Key (jabber-private.pem) in PEM format.

  • Certificate chain in PEM format. I got two certificates: DFN-CA (dfn-ca.pem) and RWTH-CA (rwth-ca.pem).

  • ImportKey.java from http://www.agentbob.info/agentbob/79.html

 

Step by Step

Make a backup form your keystore and truststore files. Make a second copy to work with. (Don''t work on a running system...) You will find both files in /opt/openfire/resources/security.

Import your certificate chain from top to bottom into your existing truststore:

keytool -importcert -alias dfn-ca -keystore truststore -file dfn-ca.pem
keytool -importcert -alias rwth-ca -keystore truststore -file rwth-ca.pem

 

convert your key and certificate into DER-Format:

openssl pkcs8 -topk8 -nocrypt -in jabber-private.pem -inform PEM -out jabber-private.der -outform DER
openssl x509 -in jabber-signed.pem -inform PEM -out jabber-signed.der -outform DER

 

modify ImportKey.java according to following diff-output. This is a program from an untrusted source which works directly with your private key, you should check exactly what it does...use at your own risk.

[coolcat@sempron2800 KeyStore]$ diff ImportKey.java ImportKey_original.java
87c87
<         String keypass = "changeit";
---
>         String keypass = "importkey";
90c90
<         String defaultalias = "private-key";
---
>         String defaultalias = "importkey";
93c93,99
<         String keystorename = "keystore";
---
>         String keystorename = System.getProperty("keystore");
>
>         if (keystorename == null)
>             keystorename = System.getProperty("user.home")+
>                  System.getProperty("file.separator")+
>                  "keystore.ImportKey"; // especially this ;-)
>

compile the class with java 1.6:

javac ImportKey.java



create a *new keystore file* in current working directory, which contains your private key:

java ImportKey jabber-private.der jabber-signed.der



copy keystore and truststore file back to +/opt/openfire/resources/security+ and restart your openfire server.

On +Server Certificates+ page in adminconsole the new key is shown as +Pending Verification+, so I tried to import my certificate into the truststore, but this seems not to change anything.

keytool -importcert -alias jabber-cert -keystore truststore -file jabber-signed-short.pem


+jabber-signed-short.pem+ is the plain certificate, just this part:

---BEGIN CERTIFICATE---

 

    /*  ...  */

 

-

END CERTIFICATE-----

 

Finally I ignored the Pending Verification, because it worked.

Additionally Server Certificates page says something like "One or more certificates are missing. Click here to generate self-signed certificates.", i I ignored it, too.

 

I will get an email when someone answers on this thread, so ask your questions here, also if this thread grows older. I hope this will help someone.

 

Coolcat

 

Message was edited by: Coolcat

Report Abuse
 
tlj
1 posts since
Aug 2, 2007
Currently Being Moderated
Aug 2, 2007 4:13 PM in response to: Coolcat
Re: Import SSL Key and Certificate

Here is what worked for me, after a week of racking my brain on this issue. My certs were generated using openssl version 0.9.8b and my certs were signed by Digital Signature Trust.

 

1. Convert your private key to DER format

 

openssl pkcs8 -topk8 -nocrypt -in jabber.key -inform PEM -out jabber.key.der -outform DER

 

2. Convert your cert and root cert(Digital Signature Trust root certs) and/or intermediate cert into DER format

 

openssl x509 -in jabber.crt -inform PEM -out jabber.crt.der -outform DER

openssl x509 -in roots.crt -inform PEM -out roots.crt.der -outform DER

 

3.  cat jabber.crt.der roots.crt.der > jabber.der

 

Now I used the keystore file from the original install from /opt/openfire/resources/security with JDK 1.6.0_02 and a program similair to AgentBob, which is from an ex employee where I work.

 

java KeyStoreImport /opt/openfire/resources/security/keystore jabber.der jabber.key.der jabber.imsa.edu

 

This imported and now showed it was signed and not in a pending status.  Please let me know if you want me to post the KeyStoreImport java file and class I used.

Report Abuse
Coolcat KeyContributor
Coolcat
727 posts since
Mar 19, 2007
Currently Being Moderated
Aug 2, 2007 4:22 PM in response to: tlj
Re: Import SSL Key and Certificate

thanks.

3. cat jabber.crt.der roots.crt.der > jabber.der

I think thats the trick, I will try it when I find some time...

Report Abuse
Attila Bronze
Attila
34 posts since
Sep 28, 2007
Currently Being Moderated
Oct 27, 2007 7:24 AM in response to: tlj
Re: Import SSL Key and Certificate

tlj,

 

Could you please post your KeyStoreImport.java file here? Just copy&paste it to your reply.

 

Thanks in advance

Report Abuse

More Like This

  • Retrieving data ...

Incoming Links