Skip navigation
2688 Views 5 Replies Latest reply: Apr 23, 2014 12:04 PM by Jules Huang RSS
Miguel Fenne Bronze 2 posts since
Jan 11, 2012
Currently Being Moderated

Jan 12, 2012 9:36 AM

Openfire 3.7.1 with GeoTrust SSL cert (Windows Server 2008 x32) - SOLVED

I spent the last 4 days trying to get this figured out. After much trial and error these are the exact steps I used to get a GeoTrust SSL cert imported into Openfire 3.7.1

 

Install Microsot Visual C++ viewer restributable. You need this specific version in order for OpenSSL to function properly.

http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D -074B9F2BC1BF

 

Download OpenSSL http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe

install this using the system defaults.

 

Browse to C:\OopenSSL-Win32\bin

Right click on openssl.exe and choose Run As Administrator

 

Use Openssl to generate a private key by running the following commands

 

genrsa -out your.domain.com.key 2048

 

you will see

Loading 'screen' into random state - done

Generating RSA private key, 2048 bit long modulus

.+++

............................................+++

e is 65537 (0x10001)

 

at the next OpenSSL> prompt type enter this command

 

req -out your.domain.com.csr -key your.domain.com.key -new

 

you will see

 

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:REQUIRED

State or Province Name (full name) [Some-State]:REQUIRED

Locality Name (eg, city) []:REQUIRED

Organization Name (eg, company) [Internet Widgits Pty Ltd]:REQUIRED

Organizational Unit Name (eg, section) []:REQUIRED

Common Name (e.g. server FQDN or YOUR name) []:REQUIRED This should match your OpenFire server name

Email Address []:Leave Blank

 

LEAVE THE FOLLOWING BLANK

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

After answering the questions above you will be brought back to the OpenSSL prompt

 

OpenSSL>

 

At this point you can close OpenSSL

 

You have now created a private key and a cert request that you can use to get a cert from GeoTrust. The key and the cert are located in C:\OpenSSL-Win32\bin

The files are

your.domain.com.key

your.domain.com.csr

 

Login to your GeoTrust account and ask for a new SSL Cert. I used the Quick SSL Premium, but the Quick SSL Basic will be fine if you dont need multiple domain support.

 

Copy the contents of the file

your.domain.com.csr

into the field listed below

Certificate Signing Request (CSR) Information

 

Complete the cert request steps. Once you get your cert approved and you get the download link, Make sure you download the ZIP bundle.

Extract the files and use notepad++ to open the files

 

your_domain_com.txt

GeoTrust_CA_Bundle.txt

 

Copy the contents of your_domain_com.txt and paste into a new notepad++ file. Directly after your cert copy the contents of

GeoTrust_CA_Bundle.txt

 

The end file should look like.


-----BEGIN CERTIFICATE-----
Your certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26×1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
—–END CERTIFICATE—–

 

Save this file as Content of Certificate file.txt

 

Browse to the OpenFire Server Certificate Import Page https://your.openfireserver.com:9091/import-certificate.jsp

 

Copy the contents of your.domain.com.key and paste into the Content of Private Key file: field

Copy the contens of the Content of Certificate file.txt you created into the Content of Certificate file: field

 

 

If you don’t include the intermediate cert data in the second field or the intermediate certs don’t match you’ll see errors such as “Incomplete certificate chain in reply”, “Failed to establish chain from reply” or “Certificate chain in reply does not verify: Signature does not match.”

 

If you see the message “invalid DER-encoded certificate data” then you most likely have an empty line between one or other of the certificate lines.

 

Once you get the Key was imported successfully message you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.

 

Log back in and browse to the Server Certificates page again, you will see two self-signed certs and a CA signed cert. You can remove both self signed certs by clicking the delete button to the far right. Once again you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.

 

Log back in and browse to the Server Certificates page again to verify your CA signed cert is the only one left.

 

That should be it. I have confirmed this works with Openfire 3.7.1 using Spark and webchat clients.

 

Let me know if you have any questions. Hopefully this will help someone save a week of headbanging and fustrations.

 

 


More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points