Ignite Realtime: Openfire and SSL

Up to Discussions in Openfire Support

5469 Views 4 Replies Latest reply: Jan 7, 2010 10:01 AM by Rob Corell

Rahul Amaram

3 posts since
Apr 8, 2008

Currently Being Moderated

Apr 8, 2008 1:02 PM

Openfire and SSL

I have been trying for about 1 day to get Openfire set up with SSL but have not succeeded. I am not a novice yet I am just unable to set it up. Here is what I have right now:

1. My domain is "im.spinaxys.com"

2. Decrypted private key in PEM format

BEGIN RSA PRIVATE KEY-----

0DDqOMbM6JWGZigMsUIjFfZgi9bIQItifQpRmiOmh9fFS4nKXfFtAyc1bKANALQs

END RSA PRIVATE KEY-----

3. Wild card signed certificate for "*.spinaxys.com" in PEM FORMAT

BEGIN CERTIFICATE-----

MIIINzCCBx+gAwIBAgIDAathMA0GCSqGSIb3DQEBBQUAMIG2MQswCQYDVQQGEwJJ

END CERTIFICATE-----

4. CA (http://cert.startcom.org/) root certificate in PEM format (I believe this CA is already part of openfire trusted CAs)

BEGIN CERTIFICATE-----

MIIFFjCCBH+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

END CERTIFICATE-----

5. CA intermediate certificate

BEGIN CERTIFICATE-----

MIIHdzCCBuCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwx

END CERTIFICATE-----

I guess this is all that is ever needed to set up SSL support for a server. I must have read atleast a zillion documents trying to achive this but to no use :).

I would be really grateful if anyone could give step by step instructions on how to set up SSL in openfire with the above files. Thanks !!!

Like (0)

Tags: openfire, ssl

cmyster
8 posts since
Apr 8, 2008

Currently Being Moderated

Apr 9, 2008 1:40 AM (in response to Rahul Amaram)
Re: Openfire and SSL

what OS are you running?

Report Abuse

Like (0)
- Rahul Amaram
  3 posts since
  Apr 8, 2008
  
  Currently Being Moderated
  
  Apr 9, 2008 8:29 AM (in response to cmyster)
  Re: Openfire and SSL
  
  I am using Debian Etch. Today using the guidelines provided at http://www.igniterealtime.org/community/message/151675#151675 I was able to import the private key and certficate (with a few more additional steps). But one problem remains. I still get the error "One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key." though the certificate status is "CA Signed". Thus whenever I connect to any of the SSL ports, it says the CA wasn't able to be verified (though the root CA's cert is already installed in firefox). What is the solution for this? To be more precise, how do I make Openfire offer the chain certificate (and not just my domain certificate) to my browser?
  
  I am planning to write a step-by-step instruction here on configuring SSL in openfire using our own key and certificate once I get this problem solved.
  
  Looking forward to a resonse. Thanks.
  
  Report Abuse
  
  Like (0)
Rahul Amaram
3 posts since
Apr 8, 2008

Currently Being Moderated

Apr 9, 2008 1:15 PM (in response to Rahul Amaram)
Re: Openfire and SSL

I have managed to solve the problem finally. Here is a step-by-step tutorial on how I setup SSL in openfire.

Openfire version : 3.5.0
Java version : 1.6.0
OS : Debian Etch
XMPP Server Domain : company.com
RSA Private Key : key.pem
Certificate for XMPP server domain : cert.pem
Root CA Certificate : rootca-cert.pem
Intermediate CA Certificate : interca-cert.pem

1. Install openfire and configure it from the web interface

2. Stop the openfire server

$ /etc/init.d/openfire stop

3. Create a working directory and enter it

$ mkdir openfire-ssl
$ cd openfire-ssl

4. Now dump the files "key.pem", "cert.pem", "rootca-cert.pem" and "interca-cert.pem" into this directory

5. Next backup keystore and truststore

$ cp -a /etc/openfire/security/keystore keystore.bkup
$ cp -a /etc/openfire/security/truststore truststore.bkup

6. Import the Root CA certificate into openfire truststore (if it is not already part of truststore)

$ keytool -importcert -alias "rootca" -keystore /etc/openfire/security/truststore -file rootca-cert.pem

You will be prompted for the keystore password which is "changeit" by default unless you have changed it.

7. Remove the default certificates in keystore using keytool

$ keytool -delete -keystore /etc/openfire/security/keystore -alias rsa
$ keytool -delete -keystore /etc/openfire/security/keystore -alias dsa

8. Convert your key into DER format

$ openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

9. Convert server certificate and all intermediate certificates into DER format and combine them to create a chain certificate

$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
$ openssl x509 -in interca-cert.pem -inform PEM -out interca-cert.der -outform DER
$ cat cert.der interca-cert.der > chain-cert.der

10. Copy the file KeyStoreImport.java from http://www.nealgroothuis.name/import-a-private-key-into-a-java-keystore/ and compile it

$ javac KeyStoreImport.java

11. Add the domain chain certificate and the private key to keystore

$ java KeyStoreImport /etc/openfire/security/keystore chain-cert.der key.der "company.com_rsa"

You will be prompted for the Keystore password which is "changeit" by default unless you have changed it.
For Private key entry password, I entered the same as the Keystore password. Somehow if I was entering a different password it was not working (not sure why this was happening ... maybe I am missing something).

12. Start the openfire server

$ /etc/init.d/openfire start

13. From web interface, go to Server Settings -> Server Certificates and check if the key and certificate has been added

Notes:

1. Be sure that /etc/openfire/security/keystore and /etc/openfire/security/truststore has the proper read permission for openfire. On my system, the owner and group of the files are "openfire" and permissions are "640".

2. If you get a keystore corrupt error in the web interface, just copy back the keystore file from the backup and try again. One possible reason could be because the Private Key entry password entered is different from the keystore password (mentioned about this above).

Report Abuse

Like (0)
- Rob Corell
  4 posts since
  Jan 7, 2010
  
  Currently Being Moderated
  
  Jan 7, 2010 10:01 AM (in response to Rahul Amaram)
  Re: Openfire and SSL
  
  Rahul, thanks for the step-by-step process. I've been fighting OpenFire for days now and just finished trying this approach. Unfortunately, I'm getting the error below on the last step. Do you have any thoughts?
  
  [root@vps wave-protocol]# java -cp . KeyStoreImport /opt/openfire/resources/security/keystore ./chain-cert.der traitwise.key.der "traitwise.com"
  Keystore password:
  changeit
  java.security.cert.CertificateParsingException: signed fields invalid
  at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1716)
  at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:303)
  at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:532)
  at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:4 17)
  at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.j ava:427)
  at KeyStoreImport.main(KeyStoreImport.java:70)
  
  Report Abuse
  
  Like (0)

Go to original post

Apr 8, 2008 1:02 PM

Openfire and SSL

Actions

More Like This

Incoming Links

Bookmarked By (0)