Using Signed SSL Certificates in Openfire

Version 4

     

    Problem:

    I want to be able to communicate with an Openfire server using SSL. The Server must be able to prove that they are who they say they are, so that you can trust that any communications going on are secure.

     

    Solution:

    Operate Openfire over TLS using signed server certificates. This entails having a matched public/private key pair to encode all transactions. All Openfire users will encode their communications using your public key. These encoded transmissions will then only be able to be decoded with your private key. If you have your public key certified by a trusted authority (a Certificate Authority) then Openfire clients can trust that their connections with your Openfire server are secure.

     

    Instructions:

     

    To get this Signed Certificate on your Openfire server, you'll need three things:

     

    1) A public/private key pair to encrypt/decrypt messages

    -You will generate this yourself as a Certificate Signing Request which you will then have signed by your chosen Certificate Authority (CA) and an associated private key

    2) A certificate for your server signed by an external CA (Certificate Authority)

    -You will have to request this from a CA of your choosing using your CSR

    3) The public certificate of your CA

    -This will be freely distributed by your CA, and might also require a certificate chain containing the certificates for all the higher level (root) CA's that have authorized your CA.

     

    One you have these three things, you'll need to import them into Openfire.

    The following steps will guide you through the process of obtaining and then importing your certificates:

     

    Step 1: Generating a CSR & Private Key

    You can generate a CSR / Private key pair using the tool of your choice. There are many free tools available online (an example) or you could use the Java keytool to generate a CSR. Be warned, if you generate a CSR with the keytool the private key will be kept in the tool, so take care to read the keytool documentation and only generate a CSR once to make sure that your CSR and Private Key match.

    Whatever tool you use, keep a copy of both the CSR and the Private key, and be sure to keep them matched -- you'll need the private key for your specific CSR when you get your signed certificate.

     

    Pending bugs JM-1140 and JM-1139 it will be possible to create a CSR and private key pair in Openfire.

     

    Step 2: Getting Your Signed Certificate

    This step will involve deciding upon a Certificate Authority, and likely paying your chosen CA to have your certificate request signed.

    You will send your generated CSR to your chosen CA (keep the private key to yourself.) The CA will send you in reply two things: A signed copy of your certificate, and their public certificate which may their own cert as well as their certificate chain or just their cert.

     

    Step 3: Making Openfire Recognize Your CA

    Using the java keytool, you will need to add your CA's certificate to the openfire truststore (located in <<openfire dir>>\resources\security.) The keytool command to import your CA certs into your truststore is roughly as follows:

    keytool -import -alias <<CA alias>> -file <<CA cert file>> -keystore <<openfire dir>>\resources\security\truststore

    You will need to execute this command once for each certificate file sent to you by your CA.

     

    Step 4: Importing Your Signed Certificate into Openfire

    If you created your certificate request and private key using the built-in openfire tool, then importing the signed certificates is a simple matter of putting the signed cert in the "Certificate Authority Reply" box in the Server Certificates interface in the admin console.

    For more information see the Java keytool documentation.

     

    If you created your certificate request and private key with the java keytool, you will need to import the CA reply into the Openfire keystore (<<openfire dir>>\resources\security\keystore) using the same method as importing your CA's certificate in step 3.

     

    If you created your certificate request and private key with an external tool, you will be able to import these through a hidden interface in the openfire admin console: <<admin url>>/import-certificate.jsp. Just navigate to that page, paste your signed certificate and private key into the appropriate boxes, and click save.

     

     

    Step 4a Importing certificate from a Certificate installed in Windows, Extracting Private Key from a currently installed certificate by exporting to PFX file

     

    If you received a certificate from your provider, installed it on your windows system and have no idea what a private key is then these instructions should hopefully help.
    If you already have a certificate backup (PFX file) skip step 1 otherwise first we need to create a Full Backup which includes a Private Key
    Step 1
    1.) Start > Run
    2.) Type in MMC and click OK
    3.) Go into the File Tab > select Add/Remove Snap-in...
    4.) Click on Add > Double Click on Certificates and click on Add > OK
    5.) Select Computer Account
    6.) Select Local Computer
    7.) Click the + to Expand the Certificates Console Tree
    8.) Look for the Personal directory/folder and expand Certificates.
    9.) Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
    10.) Follow the Certificate Export Wizard to backup your certificate to a .pfx file
    11.) Choose to 'Yes, export the private key'
    12.) Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
    13.) Leave default settings > Enter a password of your choice
    14.) Choose to save file on a set location (something easy like c:\mycert.pfx)
    15.) Finish
    16.) You will receive a message > Export Successful
    17.) The .pfx file backup is now saved in the location you specified
    Step 2
    Now you will need OpenSSL compiled binary from windows, easiest I have found is:
    http://www.slproweb.com/products/Win32OpenSSL.html
    by default this is installed into "c:\openssl"
    you now need to run this command to extract the details required to import into OpenFire
    c:\openssl\bin\openssl.exe pkcs12 -in c:\mycert.pfx -out c:\outputfile.txt -nodes
    (where c:\mycert.pfx is the location of the exported certificate of the previous step)
    If you open up the outputfile, this contain the certificate and well at something like this:
    -


    BEGIN RSA PRIVATE KEY---
    (Block of Random Text)
    -


    END RSA PRIVATE KEY-
    Step 3
    Open up the <<Openfire admin url>>/import-certificate.jsp
    Pass Phrase: enter the password you used when creating the Backup file in the 1st step
    Private Key: enter this section from the output file (including the BEGIN and END lines):
    -
    BEGIN RSA PRIVATE KEY
    -
    (Private Key Content)
    -
    END RSA PRIVATE KEY
    -
    Certificate Content: enter this section from the outfile (including the BEGIN and END lines):
    -
    BEGIN CERTIFICATE
    -
    (Certificate Content)
    -
    END CERTIFICATE
    ---
    Click Save and your certificate should now be available in Openfire.

     

     

     

     

    You will now be able to communicate in openfire through a trusted TLS connection.