Ignite Realtime: Openfire and SSL ...

Up to Discussions in Openfire Support

3 Replies Last post: Apr 9, 2008 3:04 PM by Rahul Amaram

Rahul Amaram

3 posts since
Apr 8, 2008

Currently Being Moderated

Apr 8, 2008 3:02 PM

Openfire and SSL

I have been trying for about 1 day to get Openfire set up with SSL but have not succeeded. I am not a novice yet I am just unable to set it up. Here is what I have right now:

1. My domain is "im.spinaxys.com"

2. Decrypted private key in PEM format

BEGIN RSA PRIVATE KEY-----

0DDqOMbM6JWGZigMsUIjFfZgi9bIQItifQpRmiOmh9fFS4nKXfFtAyc1bKANALQs

END RSA PRIVATE KEY-----

3. Wild card signed certificate for "*.spinaxys.com" in PEM FORMAT

BEGIN CERTIFICATE-----

MIIINzCCBx+gAwIBAgIDAathMA0GCSqGSIb3DQEBBQUAMIG2MQswCQYDVQQGEwJJ

END CERTIFICATE-----

4. CA (http://cert.startcom.org/) root certificate in PEM format (I believe this CA is already part of openfire trusted CAs)

BEGIN CERTIFICATE-----

MIIFFjCCBH+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

END CERTIFICATE-----

5. CA intermediate certificate

BEGIN CERTIFICATE-----

MIIHdzCCBuCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

END CERTIFICATE-----

I guess this is all that is ever needed to set up SSL support for a server. I must have read atleast a zillion documents trying to achive this but to no use :).

I would be really grateful if anyone could give step by step instructions on how to set up SSL in openfire with the above files. Thanks !!!

Tags: openfire, ssl

cmyster

8 posts since
Apr 8, 2008

Currently Being Moderated

Apr 9, 2008 3:40 AM

in response to: Rahul Amaram

Re: Openfire and SSL

what OS are you running?

Report Abuse

Rahul Amaram

3 posts since
Apr 8, 2008

Currently Being Moderated

Apr 9, 2008 10:29 AM

in response to: cmyster

Re: Openfire and SSL

I am using Debian Etch. Today using the guidelines provided at Re: Import SSL Key and Certificate I was able to import the private key and certficate (with a few more additional steps). But one problem remains. I still get the error "One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key." though the certificate status is "CA Signed". Thus whenever I connect to any of the SSL ports, it says the CA wasn't able to be verified (though the root CA's cert is already installed in firefox). What is the solution for this? To be more precise, how do I make Openfire offer the chain certificate (and not just my domain certificate) to my browser?

I am planning to write a step-by-step instruction here on configuring SSL in openfire using our own key and certificate once I get this problem solved.

Looking forward to a resonse. Thanks.

Report Abuse

Rahul Amaram

3 posts since
Apr 8, 2008

Currently Being Moderated

Apr 9, 2008 3:15 PM

in response to: Rahul Amaram

Re: Openfire and SSL

I have managed to solve the problem finally. Here is a step-by-step tutorial on how I setup SSL in openfire.

Openfire version : 3.5.0

Java version : 1.6.0

OS : Debian Etch

XMPP Server Domain : company.com

RSA Private Key : key.pem

Certificate for XMPP server domain : cert.pem

Root CA Certificate : rootca-cert.pem

Intermediate CA Certificate : interca-cert.pem

1. Install openfire and configure it from the web interface

2. Stop the openfire server

$ /etc/init.d/openfire stop

3. Create a working directory and enter it

$ mkdir openfire-ssl

$ cd openfire-ssl

4. Now dump the files "key.pem", "cert.pem", "rootca-cert.pem" and "interca-cert.pem" into this directory

5. Next backup keystore and truststore

$ cp -a /etc/openfire/security/keystore keystore.bkup

$ cp -a /etc/openfire/security/truststore truststore.bkup

6. Import the Root CA certificate into openfire truststore (if it is not already part of truststore)

$ keytool -importcert -alias "rootca" -keystore /etc/openfire/security/truststore -file rootca-cert.pem

You will be prompted for the keystore password which is "changeit" by default unless you have changed it.

7. Remove the default certificates in keystore using keytool

$ keytool -delete -keystore /etc/openfire/security/keystore -alias rsa

$ keytool -delete -keystore /etc/openfire/security/keystore -alias dsa

8. Convert your key into DER format

$ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

9. Convert server certificate and all intermediate certificates into DER format and combine them to create a chain certificate

$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

$ openssl x509 -in interca-cert.pem -inform PEM -out interca-cert.der -outform DER

$ cat cert.der interca-cert.der > chain-cert.der

10. Copy the file KeyStoreImport.java from http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and compile it

$ javac KeyStoreImport.java

11. Add the domain chain certificate and the private key to keystore

$ java KeyStoreImport /etc/openfire/security/keystore chain-cert.der key.der "company.com_rsa"

You will be prompted for the Keystore password which is "changeit" by default unless you have changed it.

For Private key entry password, I entered the same as the Keystore password. Somehow if I was entering a different password it was not working (not sure why this was happening ... maybe I am missing something).

12. Start the openfire server

$ /etc/init.d/openfire start

13. From web interface, go to Server Settings -> Server Certificates and check if the key and certificate has been added

Notes:

1. Be sure that /etc/openfire/security/keystore and /etc/openfire/security/truststore has the proper read permission for openfire. On my system, the owner and group of the files are "openfire" and permissions are "640".

2. If you get a keystore corrupt error in the web interface, just copy back the keystore file from the backup and try again. One possible reason could be because the Private Key entry password entered is different from the keystore password (mentioned about this above).

Report Abuse

Go to original post

Apr 8, 2008 3:02 PM

Openfire and SSL

Actions

More Like This