OpenFire with PKI

I know this questions has been asked quite a bit on thses forums, however, I’m still having a problem enabling my OpenFire server to use PKI Authentication.

I’m fairly sure I have all of my server settings correct (pointing to the correct place for keystore, truststore, etc), but I don’t think the server is properly sending my client back a list of CAs for which to ask my client for its certificates.

Here is a listing of pertinent props:

  • sasl.mechs = EXTERNAL
  • xmpp.client.cert.policy = WANTED
  • xmpp.client.certificate.verify = true
  • xmpp.client.certificate.verify.chain = true
  • xmpp.client.certificate.verify.root = true
  • xmpp.client.certificate.verify.validity = true
  • xmpp.client.tls.policy = required
  • xmpp.socket.ssl.active = true
  • xmpp.socket.ssl.client.truststore = resources/security/truststore
  • xmpp.socket.ssl.client.trustpass = {my password}
  • xmpp.socket.ssl.keystore = resources/security/keystore
  • xmpp.socket.ssl.keypass = {my password}

I have a keystore and a truststore located in {openfire root}/resources/security/

I have my server’s private keys in the keystore and a listing of available CAs in my truststore.

I’m getting the error: “EXTERNAL auth requested, but no certificates found”

I’ve tested this with openssl s_connect… and see that the server is not sending back my list of CAs. I’m using the same keystore/truststore on another web application (run in JBoss) and my openssl s_connect… properly gets my list of CAs.

Ok… I’m able to get openssl s_conenct… to return me a list of CAs, however, I’m still getting the “no certificates found” error. I know my client is opening and reading my keystore that has a valid certificate signed by a CA that’s found in OpenFire’s truststore!!!