Openfire 3.7.1 with GeoTrust SSL cert (Windows Server 2008 x32) - SOLVED

I spent the last 4 days trying to get this figured out. After much trial and error these are the exact steps I used to get a GeoTrust SSL cert imported into Openfire 3.7.1

Install Microsot Visual C++ viewer restributable. You need this specific version in order for OpenSSL to function properly.

http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D -074B9F2BC1BF

**Download OpenSSL **http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe

install this using the system defaults.

**Browse to **C:\OopenSSL-Win32\bin

Right click on openssl.exe and choose Run As Administrator

Use Openssl to generate a private key by running the following commands

genrsa -out your.domain.com.key 2048

**you will see **

Loading ‘screen’ into random state - done

Generating RSA private key, 2048 bit long modulus

.+++

…+++

e is 65537 (0x10001)

at the next OpenSSL> prompt type enter this command

req -out your.domain.com.csr -key your.domain.com.key -new

you will see

Loading ‘screen’ into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.


Country Name (2 letter code) [AU]:REQUIRED

State or Province Name (full name) [Some-State]:REQUIRED

Locality Name (eg, city) []:REQUIRED

Organization Name (eg, company) [Internet Widgits Pty Ltd]:REQUIRED

Organizational Unit Name (eg, section) []:REQUIRED

Common Name (e.g. server FQDN or YOUR name) []:**REQUIRED This should match your OpenFire server name
**

Email Address []:Leave Blank

LEAVE THE FOLLOWING BLANK

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

After answering the questions above you will be brought back to the OpenSSL prompt

OpenSSL>

At this point you can close OpenSSL

You have now created a private key and a cert request that you can use to get a cert from GeoTrust. The key and the cert are located in C:\OpenSSL-Win32\bin

**The files are **

your.domain.com.key

your.domain.com.csr

Login to your GeoTrust account and ask for a new SSL Cert. I used the Quick SSL Premium, but the Quick SSL Basic will be fine if you dont need multiple domain support.

Copy the contents of the file

your.domain.com.csr

**into the field listed below
**

Certificate Signing Request (CSR) Information

Complete the cert request steps. Once you get your cert approved and you get the download link, Make sure you download the ZIP bundle.

Extract the files and use notepad++ to open the files

your_domain_com.txt

GeoTrust_CA_Bundle.txt

**Copy the contents of **your_domain_com.txt **and paste into a new notepad++ file. Directly after your cert copy the contents of **

GeoTrust_CA_Bundle.txt

The end file should look like.

**
**

-----BEGIN CERTIFICATE----- *Your certificate* —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8 KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE 60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1 SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB 2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/ ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM IIi0tWeUz12OYjf+xLQ= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26×1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S —–END CERTIFICATE—–

**Save this file as **Content of Certificate file.txt

**Browse to the OpenFire Server Certificate Import Page **https://your.openfireserver.com:9091/import-certificate.jsp

**Copy the contents of **your.domain.com.key and paste into the Content of Private Key file: field

**Copy the contens of the **Content of Certificate file.txt **you created into the **Content of Certificate file: field

If you don’t include the intermediate cert data in the second field or the intermediate certs don’t match you’ll see errors such as “Incomplete certificate chain in reply”, “Failed to establish chain from reply” or “Certificate chain in reply does not verify: Signature does not match.”

If you see the message “invalid DER-encoded certificate data” then you most likely have an empty line between one or other of the certificate lines.

**Once you get the Key was imported successfully message you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page. **

**Log back in and browse to the Server Certificates page again, you will see two self-signed certs and a CA signed cert. You can remove both self signed certs by clicking the delete button to the far right. Once again y****ou will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page. **

Log back in and browse to the Server Certificates page again to verify your CA signed cert is the only one left.

That should be it. I have confirmed this works with Openfire 3.7.1 using Spark and webchat clients.

**Let me know if you have any questions. Hopefully this will help someone save a week of headbanging and fustrations.
**

**
**

2 Likes

Thank You. After I pasted the certificate information it goes back to the server certificate screen. No error message or anything and certificate does not show up.

Did you copy both your domain cert and the bundle cert together? Also, did you restart the openfire it prompt you to restart the HTTP service?

There was no pompt for HTTP restart or any message. I noticed in the trustcacerts keystore that the CA root certificate also expired. I had to replace the CA certificate with the keytool and then it worked importing the certificate as mentioned above.

I’ve spent three days trying to do this. Documentation is sparse, and the stuff that exists assumes that you know how to do the things that they don’t describe in detail.

Your how-to is the best I’ve found, and with 15 minutes of time I was able to install and configure an SSL certificate from GoDaddy. THANK YOU! It’s a shame that we have to use a third-party tool to get a CA cert installed in Openfire, but I’m glad that this post was here to help me!

2 Likes

I have Openfire 3.9.1 and it worked like a charm. My issue here is Openfire persistently displaying a warning that “One or more certificates are missing.” The one I have is RSA, guess it needs a DSA?