thanks, I will try it on sunday or so...

here''s how to do it.

hm, this didn''t worked for me.

But I found another way:

I will describe here exactly what I have done. Maybe there is a better way and not every detail here is important. Use this guide at your own risk.

Requirements

• Openfire has to run with Java 1.6 and you have to use the Java 1.6 keytool. I used an JDK 1.6.0_02 from Sun. According to this site an older keytool can not import third party signed certificates correctly.

• Certificate (jabber-signed.pem) and Key (jabber-private.pem) in PEM format.

• Certificate chain in PEM format. I got two certificates: DFN-CA (dfn-ca.pem) and RWTH-CA (rwth-ca.pem).

• ImportKey.java from http://www.agentbob.info/agentbob/79.html

Step by Step

Make a backup form your keystore and truststore files. Make a second copy to work with. (Don''t work on a running system...) You will find both files in /opt/openfire/resources/security.

Import your certificate chain from top to bottom into your existing truststore:

keytool -importcert -alias dfn-ca -keystore truststore -file dfn-ca.pem
keytool -importcert -alias rwth-ca -keystore truststore -file rwth-ca.pem

convert your key and certificate into DER-Format:

openssl pkcs8 -topk8 -nocrypt -in jabber-private.pem -inform PEM -out jabber-private.der -outform DER
openssl x509 -in jabber-signed.pem -inform PEM -out jabber-signed.der -outform DER

modify ImportKey.java according to following diff-output. This is a program from an untrusted source which works directly with your private key, you should check exactly what it does...use at your own risk.

[coolcat@sempron2800 KeyStore]$ diff ImportKey.java ImportKey_original.java
87c87
<         String keypass = "changeit";
---
>         String keypass = "importkey";
90c90
<         String defaultalias = "private-key";
---
>         String defaultalias = "importkey";
93c93,99
<         String keystorename = "keystore";
---
>         String keystorename = System.getProperty("keystore");
>
>         if (keystorename == null)
>             keystorename = System.getProperty("user.home")+
>                 System.getProperty("file.separator")+
>                 "keystore.ImportKey"; // especially this ;-)
>

compile the class with java 1.6:

javac ImportKey.java

create a *new keystore file* in current working directory, which contains your private key:

java ImportKey jabber-private.der jabber-signed.der

copy keystore and truststore file back to +/opt/openfire/resources/security+ and restart your openfire server.

On +Server Certificates+ page in adminconsole the new key is shown as +Pending Verification+, so I tried to import my certificate into the truststore, but this seems not to change anything. 

keytool -importcert -alias jabber-cert -keystore truststore -file jabber-signed-short.pem

+jabber-signed-short.pem+ is the plain certificate, just this part:

---BEGIN CERTIFICATE---

    /*  ...  */

-

END CERTIFICATE-----

Finally I ignored the Pending Verification, because it worked.

Additionally Server Certificates page says something like "One or more certificates are missing. Click here to generate self-signed certificates.", i I ignored it, too.

I will get an email when someone answers on this thread, so ask your questions here, also if this thread grows older. I hope this will help someone.

Coolcat

Message was edited by: Coolcat