Openfire with Godaddy certificate for SSL

Openfire Openfire Support
1

Has anyone gotten this to work correctly and if so what are the steps? How do you get godaddy to signe the both the DSA and RSA key? Also for godaddy they have a field for the “CN” and in Openfire it has no such field. Please help I made a key from godaddy and it wouldnt accept. I dont have any logs of the, its a virtual machine so i just restored a snapshot after it failed. I have looked at the forms and havent found anything that answers my questions

2

Hi,

you may want to read http://www.igniterealtime.org/community/blogs/ignite/2007/12/01/your-certificate -survival-kit and drop support for DSA and thus the DSA certificate.

LG

added: Looks like Openfire does complain then with “One or more certificates are missing.” on the certificates web page but I guess that one should ignore this.

3

LG that link is dead… I went on google looking for a cached page of it but didnt find it.

4

test - copy & paste: http://www.igniterealtime.org/community/blogs/ignite/2007/12/01/

test - “insert link”: Your Certificate Survival Kit

5

After an excruciating amount of pain , I’ve managed to import my GoDaddy cert/key and connect via SSL. However, my server certificates page says “One or more certificates are missing.” Is this related to the conversations I’ve seen DSA versus RSA? Do I need to do anything about this warning, or can I safely ignore it?

Thanks!

6

Hi,

as far as I understand the SSL settings it’s safe to ignore this warning as clients should accept both DSA or RSA certificates. Anyhow it may be possible to configure a client to accept only DSA certificates and such a client would then fail.

It would be nice if one could test whether this works fine with all available clients.

LG

7

I don’t want people to spend countless hours searching for the solution as we did, so I wrote it in a post to be easily accessible : http://timetrackingim.posterous.com/setup-godaddy-certificates-with-openfire

This is probably the first page you land when you’re searching about the GoDaddy certificates. But, the solution is not here. To make things worst, greymatter says :

After an excruciating amount of pain , I’ve managed to import my GoDaddy cert/key and connect via SSL

without giving the solution

8

Bumping this really old thread. I found a solution that worked for me with Godaddy certs and trying to get them loaded into the Java keystore:

  1. Create ssl cert with the following command “openssl genrsa -out server.domain.com.key 2048”

  2. Generate the CSR with the following command “openssl req -out server.domain.com.csr -key server.domain.com.key -new”

  3. Login to GoDaddy’s site and sign the CSR and get your CRT file. Also download the GoDaddy bundled cert.

  4. Shutdown down the openfire server if it’s running.

  5. I then deleted the default keystore so I could start from scratch.

  6. Then I ran this command “openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in server.domain.com.crt -inkey server.domain.com.key -out /opt/openfire/resources/security/keystore -name server.domain.com

This command was the key, and I found it here: http://help.godaddy.com/article/5355

  1. Startup the webserver again and check the web interface. Now if I go to Security Certificates I can see my host and it says “CA Signed”.

Some other misc notes:

  • I have the server setting set to xmpp.socket.ssl.storeType set = PKCS12

  • I still get an error in the web gui stating “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” I think this is becuase I don’t have a DSA key, but I just ignored it.

Hope this helps!

9

I was able to get Openfire working with a GoDaddy wildcard cert very easily by doing the following:

  1. http:///import-certificate.jsp
  2. Enter key file pass phrase. Mine had no pass phrase, so I left it empty.
  3. Paste your key file
  4. Paste your godaddy cert for you domain followed by gd_bundle.crt
  5. Click save, restart your server and done

The server certificates section now shows my cert as ‘CA Signed’ with a green check mark. It is an RSA certificate.

Obviously the key here is that you need to include gd_bundle.crt with your godaddy cert. This is standard for getting godaddy certs to work on non-apache servers, such as Nginx.

Hope this helps.

John

10

Here is my tough way of having openfire work with externally signed SSL certificates

How to have a signed by third party (GoDaddy, Namecheap etc.) ssl certs in openfire:

  1. find a keystore file in /opt/openfire/ … security

  2. use

keytool -list -keystore keystore

command to check all available certificates. default password for keystore is ‘changeit’.

But don’t hurry to change keystore password.

Remember the key aliases. You will need them later.

  1. delete all keys from keystore if you don’t really need them

keytool -delete -alias KEYALIAS -keystore keystore

  1. generate a key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore -keysize 2048

Remember not to ommit -keyalg RSA option - this will create keypair for rsa algorithm as required by most modern clients.

By default keyalg tries to generate keypair with an obsolete DSA algorithm

When you are asked for your First and Last name it means that you need to type Common Name (CN) for the certificate.

Most network software expects this to be FQDN of your host. So be SURE TO SPECIFY FQDN (like chat.mydomain.com) instead of your first and last name

After answering few questions you will be prompted to approve that typed data is correct. Simply type ‘yes’ to proceed.

Then you will be prompted for a password for private key. Hit Enter to set private key password same as keystore password. They MUST be the same.

So if you are about not to use default ‘changeit’ password - be sure to chage keystore password before creating keypair to avoid difficulties.

Changing keystore password could be performed with this command.

keytool -storepasswd -new new_storepass -keystore keystore

Before changing default keystore password be sure to check openfire documentation about how to configure openfire to use such keystores.

  1. generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias mydomain -keystore keystore -file mydomain.csr

You will get mydomain.csr file containing CSR.

  1. Use your CA to sign the CSR. After singing is complete you will get a set of files. This set must contain

a) signed certificate to be used with your private key

b) CA certificate(s) signed with globally recognized CA

  1. Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file CAAuthority.crt -keystore keystore

You may use few other aliases to import all the keychain

  1. Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore

mydomain.crt - must be the CA signed certificate for your domain.

Order of these steps is really important.

with best regards,

Sergey P

11

IMPORTANT NOTES about passwords, keystores and keys. Please read the ALL and make sure you understand them completely before changing passwords.

  1. default password for keystore is ‘chageit’

  2. keys inside keystore MUST have the SAME password as keystore have. So changing keystore password will require to change passwords of stored keys. This means that if you are a clever man you should decide what password would you like to have BEFORE importing keys to your keystore

  3. openfire assumes that keystore has password ‘chageit’ by default. If you are using different password for your keystore make sure that you specified keystore password in openfire config. It’s described here: http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html

Open the Openfire Admin Console in your favorite browser and add or change the following system properties:

xmpp.socket.ssl.keystore – the location of the keystore file relative to your Openfire installation root directory. You can leave this property blank to use the default keystore.

xmpp.socket.ssl.keypass – the keystore/key password you changed

  1. Changing password to the keystore adds NO ADDITIONAL SECURITY to the whole system. Once system is compromised it’s pretty easy to extract keystore password stored in openfire config and then get access to the keystore.

So using default password is the same as changing it in terms of security of the ceritificate.

12

Java and Godaddy’s SSL certs don’t get along well… see this thread (i’m the “knowsnothing” user)

http://support.godaddy.com/groups/ssl-certificates/forum/topic/ssl-cert-not-reco gnized-by-java/

I had many lengthy emails with Godaddy SSL Support Team before finally getting them to understand the problem.

Godaddy has two (2) root CA’s. One called Godaddy Class 2 CA, the other is called Godaddy G2 CA.

The Class 2 server signs all SHA-1 certs, while the G2 server signs all the SHA-2 certs.

The G2 server has not been added to the standard java truststore as of version 7_45, and therefore Java does not trust any SSL cert signed by the G2 server by default.

You must either manually add it to the truststore, or rekey using the SHA-1 cert with the Class 2 server (which is and has been in the default truststore for a long while).