*WORKING* SSL Setup Instructions?

I’m having the exact same problem and have found numerous forum posts about it. But nothing has helped.

Me too. I’m looking at server-to-server connections though.

Viewing the Server Certificates page in the admin consoles shows that I have a “CA Signed RSA” and a “CA Signed DSA” certificate.

The log files show the TLS connection is established, but no authentication mechanism is offered.

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to :5269 successful

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with was successful

2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by

Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don’t import the CA certificate in my keystore (it is in my truststore, didn’t think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the “Server Certificates” page in the admin console as I get a java exception.

Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it’s a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.

Thanks.

An awesome bit of debugging; maybe with that kind of info you should proceed to file a bug and reference this thread.

I haven’t heard for anyone who has this working (hard to believe, I know).

I gave up and used ejabberd which worked perfectly. I too haven’t heard of anyone successfully getting this working.

I’m not sure i have understood all the technical stuff, but i will try to file John’s message as a bug report. OF-331. It will be pushed to 3.6.6, as we want to finalize 3.6.5 sooner.

With a small modification to the check for a self signed local certificate in method SASLAuthentication.getSASLMechanisms, I have this working.

The call to session.getConnection().getLocalCertificates() returns the certificate chain used in the TLS handshake. The return value is an ordered array with the local certificate first, followed by the certificate authorities (see javax.net.ssl.SSLSession.getLocalCertificates). Instead of iterating of the entire array, just check the first certificate to see if it’s self signed or not.

Thanks, this is excellent news. We’ll be looking forward to 3.6.6

Perhaps an adapatation of the resolve i had on this post: http://www.igniterealtime.org/community/thread/41081 will help you?

I use StartSSL for my OpenFIRE ssl and it’s working w/o issue. The instructions i posted on that proceedure may help you.

I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.

I am leaving this in case it is useful to anyone but please try the method in my reply first. It is much easier.

I have been having this same issue and it took me all day to finally get it working. I have a digicert wildcard certificate and it has been a huge pain to get it into Openfire. I know this is old so it may not even be relevant anymore but here is how I did it on 3.7.0:

  1. Go the import page and bookmark the URL, the reason will be important later. In my case it was http://localhost:9090/import-certificate.jsp

  2. Drop to the command prompt and use keytool to import ALL the intermediate certificates in the chain needed to validate your certificate. In my case there was my certificate, 2 DigiCert certificates then an Entrust Root CA. I had to to import the two DigiCert ones into the keystore.

keytool -import -keystore keystore -alias digicert1 -file digicert1.cer

keytool -import -keystore keystore -alias digicert2 -file digicert2.cer

  1. Restart OpenFire so it will re-read your keystore

  2. Don’t try to go to the certificates page since it will just throw an error that one of the keys isn’t a private key. That is why you have to go to the bookmarked import page. Enter your passphrase, existing key and certificate. Mine were the text I used in an Apache install.

  3. If it didn’t work when you submit you should get the red text with the error like couldn’t verify the chain, bad passphrase, etc. If it did work then you will go back to the certificates page which has the private key error. No need to worry, you should see import=success in the URL.

  4. Now that it is there you can clean things up by going back to the command prompt and deleting the intermediate certificates and the default self-signed ones

keytool -delete -keystore keystore -alias digicert1

keytool -delete -keystore keystore -alias digicert2

keytool -delete -keystore keystore -alias domain.name_rsa

keytool -delete -keystore keystore -alias domain.name_dsa

  1. Restart Openfire again and now the certificates screen should work properly and you will see your CA signed cert.

Massive PITA but I finally got it working. Of course my client of choice is Pidgin which doesn’t use the system root CAs so even though I verified it was getting the correct cert it is still prompting the user to accept since because the stupid Digicert intermediate cert isn’t in Pidgin. I tried leaving the digicert certs in the keystore in the hopes that they would get passed down like my web servers do but it didn’t work.

Hopefully those of you who aren’t using pidgin or have the intermediate certs in your clients will find some value in this.

Message was edited by: Kelderek

Wouldn’t you know that I would find the EASY way to do it after I go through all that hassle then write it up for the forums. Here is the link so credit can be given where it is due:

The jist of it is that all you have to do is put the text of you intermediate certs in the cert import box along with the text of your cert. Doesn’t solve my pidgin issue but it makes the process SO much easier.

I found Pidgin works fine on Windows 7, but complains about not trusting a cert with Windows XP - Microsoft have an updated root CA bundle available for XP which seems to solve the issues.

http://support.microsoft.com/kb/931125

In my case it complains for both XP and 7. We are using the most current root certs bundle as well. I think it is because my cert is from Digicert. Entrust signs Digicert and is trusted by Windows, but there is an intermediate Digicert CA as well. I had to add that to my web servers as well so clients wouldn’t have prompts when browsing the web. Apparently with that there is some facility to send the intermediate certs as well that doesn’t exist in XMPP, Openfire and/or Pidgin.

Workaround: Put your CA certificate in truststore, remove it from keystore. Openfire throws an exception in the web interface if keystore contains anything that does not have a private key associated.

Openfire web server and XMPP SSL/TLS services work fine, only the web interface complains.

I have put a quick fix for this in http://community.igniterealtime.org/message/218685

Im confused on this issue.

What does it take from start to finish to get this working?

I had this working before, not sure where i got the correct instructions.

Now my cert expired and I cannot get this to work no matter what I do.

I’ve followed several instructions in this forum, none seem to work.

Of all the instructions i followed, this worked the best. All the other ones were confusing at best

http://community.igniterealtime.org/docs/DOC-2208

Thanks. I appreciate the credit.

Hi Guys-- I was fighting with this like you all have been for a weekend.

I WAS ABLE TO GET IT TO WORK AS IT SHOULD.

From what I can tell, this isn’t an Openfire problem- this is a “Java Feature” as the more I looked around the world, people experience this keystore/ truststore issue on many Java based platforms. -This also might explain why some people have it work great til they renew their cert, or various fixes work for one admin or not the other… Different Java JDK/SDK/JRE over the years.

I saw in some article recomending the use of “IBM KeyMan”. It’s a small program that reads and rewrites keystores.

Within 20 minutes I had my wildcard cert running on openfire.

Basic steps involved

  1. get Keyman running well… (install, fix a bat startup)

  2. rename the old keystore file to something else. (…\openfile\resources\security\keystore.sucks)

  3. create a new keystore file in …\openfile\resources\security\keystore (keep same password “changeit”) using your good cert , PFX or whatever.

  4. save out and test. Openfire may complain, but the cleanup was minimal compared to all the garbage I went through all weekend to go nowhere with keytool.

Like I said, 20 minutes.

Cheers!

1 Like

Greatings All,

Firstly, although I’m new on this site I’ve been using variants of this product since 2006 (wildfire on UNIX). So I’m fairly familiar with this thing although still not an expert.

Secondly, configuring self signed SSL certificates on Openfire has been a bit of a learning curve and it took me a while to work out how to do it following what seemed like a gazillion guides from a multitude of sources. (Get to the point dude).

Thirdly, I’m not teaching anyone how to suck eggs with the following guidelines, but keeping it stupid/simple works for me.

So how did we achieve this.

Assumptions:

  1. You have a MS CA on 2K8 R2 SP1 installed within your domain that has AD certificate services, web services and obviously IIS configured correctly. The CA has issued a root certificate into AD and CRL’s are configured accordingly through the default domain GP.

  2. The server hosting Openfire is MS 2K8 R2 SP1 with firewall ports configured correctly.

Openfire Server

  1. I had to install the following software:

a. jre-7u45-windows-i586.exe from Here.

b. jdk-7u45-windows-x64.exe from also from the above link.

c. UnlimitedJCEPolicyJDK7.zip from Here.

d. vcredist_x64.exe from Here (needed for OpenSSL x64).

e. Win64OpenSSL-1_0_1e.exe from Here

  1. Stop the Openfire Service.

  2. Add a JAVA_HOME enviromental variable as

“C:\Program Files\Java\jdk1.7.0_45\bin”, also add this to the Path under system variables. (Don’t forget the semi colon).

  1. Additonally, add the OpenSSL Path as C:\OpenSSL-Win64\bin.

  2. Backup the Keytool.exe from the C:\Program Files (x86)\Java\jre7\bin directory and replace it with the one from JDK\bin.

  3. Unzip and Extract the 2 library files, backup and replace the existing library files from C:\Program Files (x86)\Java\jre7\lib\security, with the 2 from the zip file.

  4. Copy the whole JRE7 folder and paste it into the Openfire directory. Delete the old jre and rename the JRE7 to jre.

  5. Export your trusted rootCA certificate from IE as a based-64 encoded (CER) and save it to C:\Program Files (x86\Openfire\Resources\Security.

  6. Open up a DOS prompt and cd to C:\Program Files (x86)\Openfire\Resources\Security

  7. Run the following keytool command:

keytool -import -keystore truststore -alias “Suitable-Name” -file “Your root CA.cer”

Type in “changeit” when prompted or your current truststore password.

  1. Start the Openfire Service.

  2. Login to Openfire and navigate to the Certificates Page under Server Settings. You’ll see 2 self signed certificates for RSA and DSA with your server hostname.

  3. Click on the hyperlink under Signing Request and fill in the information for your CA (you can get this from the root certificate you saved earlier). Make sure the name of your CA matches exactly whats on the root CA Cert. Save and restart Openfire.

  4. Log back in and again navigate to the certificates page. Under signing request select all the text in the RSA window and save it to notepad. name the file “rsa.csr” (you will have to uncheck hide extensions for known file types and rename it removing the .txt at the end of the file).

  5. Repeat the process for the DSA window and name it dsa.csr. Save the files to extenal media or across the network to a shared network folder.

Certificate Authority Server

You will have to duplicate 2 certificate templates based on the standard web server template in cert tools mmc for 2K8 Enterprise. Its entirely up to you as to the validity duration and renwal period, but 2 years and 6 months works for me. Ensure you add your Openfire server to the list of Users/Groups allocating full control. Save each template as OFRSA and OFDSA or something suitable.

The standard web certificate has RSA 2048 cryptography applied, so this will need to change for the DSA certificate to match that level of cryptography or it will error out later on. Change the purpose of the DSA certificate to signature and accept the warning message. Then change the cyptography to DSA and 256 bit as a minimum.

  1. Create a folder on the C: drive and call it Requests. Copy the 2 CSR’s into it.

  2. Open up a DOS prompt as administrator and type in the following:

certreq -submit -attrib “certificatetemplate:OFRSA” c:\requests\rsa.csr

  1. After a brief period a “Certification Authority list” box will pop up. Select your root CA and click ok. Then save your certificate as X.509 CER certificate. I called mine rsa.cer and saved it in the requests folder.

  2. Repeat the process for the DSA certificate and save it as dsa.cer.

certreq -submit -attrib “certificatetemplate:OFDSA” c:\requests\dsa.csr

  1. Copy the 2 files back over to the Openfire Server. Create another folder called Certs in the C: drive and drop them in to it.

Openfire Server

Hope your all still with me!!!

  1. On the Openfire server open and DOS prompt as Administrator and type in the following:

openssl x509 -in c:\certs\rsa.cer -out c:\certs\rsa.pem

repeat for the DSA certificate

openssl x509 -in c:\certs\dsa.cer -out c:\certs\dsa.pem

  1. Open up explorer and navigate to the Certs folder, open up the rsa.pem file with notepad, copy and paste the output

-----BEGIN CERTIFICATE----- output of response -----END CERTIFICATE-----

into the RSA window on openfire. Repeat for the DSA Certificate.

  1. Ensure you amend the security settings with Openfire to required for both the client and server connections and restart Openfire.

Finally, hopefully you should have working CA approved self signed certificates. As a note if you notice in the logs that Openfire starts unencrypted for both 5269 and 5222 - apparently this is completely normal behaviour and TLS will kick in when called upon.

Regards and apologies for the long winded approach.

Here is yet another method to add the list of ways of dealing with they crazy java keystore. My old methods did not work with my current certificate, but this did. It allows you to direct pull in a Windows exported .p12 or .pfx file. Make sure you export the private key with the certificate when creating the pfx/p12 file. This will also automatically pull in any intermediate CAs if you included them in the export.

Run a command prompt as administrator on the OpenFire server and browse to the Program Files (x86)\OpenFire\resources\security folder

Backup the keystore in case something goes wrong:

copy keystore keystore.bak

Import the SSL certificate & key into the java keystore with the following command:

…\jre\bin\keytool -importkeystore -srckeystore newCert.pfx -srcstoretype PKCS12 -destkeystore keystore -deststoretype JKS

The source password is the one that was set when the .pfx or .p12 certificate was exported. The destination password is changeit

List the certificates in the keystore with the following command:

…\jre\bin\keytool -list -keystore keystore -storepass changeit

Find the new certificate name (may be a long UID) and change it’s password to match the keystore:

…\jre\bin\keytool -keypasswd -keystore keystore -storepass changeit -alias newCertAlias

The current key password is the one used when exporting the .pfx or .p12 file and the new one will be changeit

For clarity, rename the key to something more human readable:

…\jre\bin\keytool -changealias -keystore keystore -storepass changeit -alias newCertAlias -destalias im.whatever.com2014-2015

Clean things up by deleting the old cert:

…\jre\bin\keytool -delete -keystore keystore -storepass changeit -alias oldCert

Restart Openfire for the new certificate to take effect.