Using Signed SSL Certificates in Openfire

Openfire Openfire Support
1

Problem:

I want to be able to communicate with an Openfire server using SSL. The Server must be able to prove that they are who they say they are, so that you can trust that any communications going on are secure.

Solution:

Operate Openfire over TLS using signed server certificates. This entails having a matched public/private key pair to encode all transactions. All Openfire users will encode their communications using your public key. These encoded transmissions will then only be able to be decoded with your private key. If you have your public key certified by a trusted authority (a Certificate Authority) then Openfire clients can trust that their connections with your Openfire server are secure.

Instructions:

To get this Signed Certificate on your Openfire server, you’ll need three things:

1) A public/private key pair to encrypt/decrypt messages

-You will generate this yourself as a Certificate Signing Request which you will then have signed by your chosen Certificate Authority (CA) and an associated private key

2) A certificate for your server signed by an external CA (Certificate Authority)

-You will have to request this from a CA of your choosing using your CSR

3) The public certificate of your CA

-This will be freely distributed by your CA, and might also require a certificate chain containing the certificates for all the higher level (root) CA’s that have authorized your CA.

One you have these three things, you’ll need to import them into Openfire.

The following steps will guide you through the process of obtaining and then importing your certificates:

Step 1: Generating a CSR & Private Key

You can generate a CSR / Private key pair using the tool of your choice. There are many free tools available online (an example) or you could use the Java keytool to generate a CSR. Be warned, if you generate a CSR with the keytool the private key will be kept in the tool, so take care to read the keytool documentation and only generate a CSR once to make sure that your CSR and Private Key match.

Whatever tool you use, keep a copy of both the CSR and the Private key, and be sure to keep them matched – you’ll need the private key for your specific CSR when you get your signed certificate.

Pending bugs JM-1140 and JM-1139 it will be possible to create a CSR and private key pair in Openfire.

Step 2: Getting Your Signed Certificate

This step will involve deciding upon a Certificate Authority, and likely paying your chosen CA to have your certificate request signed.

You will send your generated CSR to your chosen CA (keep the private key to yourself.) The CA will send you in reply two things: A signed copy of your certificate, and their public certificate which may their own cert as well as their certificate chain or just their cert.

Step 3: Making Openfire Recognize Your CA

Using the java keytool, you will need to add your CA’s certificate to the openfire truststore (located in <<openfire dir>>\resources\security.) The keytool command to import your CA certs into your truststore is roughly as follows:

keytool -import -alias <<CA alias>> -file <<CA cert file>> -keystore <<openfire dir>>\resources\security\truststore

You will need to execute this command once for each certificate file sent to you by your CA.

Step 4: Importing Your Signed Certificate into Openfire

If you created your certificate request and private key using the built-in openfire tool, then importing the signed certificates is a simple matter of putting the signed cert in the “Certificate Authority Reply” box in the Server Certificates interface in the admin console.

For more information see the Java keytool documentation.

If you created your certificate request and private key with the java keytool, you will need to import the CA reply into the Openfire keystore (<<openfire dir>>\resources\security\keystore) using the same method as importing your CA’s certificate in step 3.

If you created your certificate request and private key with an external tool, you will be able to import these through a hidden interface in the openfire admin console: <<admin url>>/import-certificate.jsp. Just navigate to that page, paste your signed certificate and private key into the appropriate boxes, and click save.

Step 4a Importing certificate from a Certificate installed in Windows, Extracting Private Key from a currently installed certificate by exporting to PFX file

If you received a certificate from your provider, installed it on your windows system and have no idea what a private key is then these instructions should hopefully help.
If you already have a certificate backup (PFX file) skip step 1 otherwise first we need to create a Full Backup which includes a Private Key
Step 1
1.) Start > Run
2.) Type in MMC and click OK
3.) Go into the File Tab > select Add/Remove Snap-in…
4.) Click on Add > Double Click on Certificates and click on Add > OK
5.) Select Computer Account
6.) Select Local Computer
7.) Click the + to Expand the Certificates Console Tree
8.) Look for the Personal directory/folder and expand Certificates.
9.) Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
10.) Follow the Certificate Export Wizard to backup your certificate to a .pfx file
11.) Choose to ‘Yes, export the private key’
12.) Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
13.) Leave default settings > Enter a password of your choice
14.) Choose to save file on a set location (something easy like c:\mycert.pfx)
15.) Finish
16.) You will receive a message > Export Successful
17.) The .pfx file backup is now saved in the location you specified
Step 2
Now you will need OpenSSL compiled binary from windows, easiest I have found is:
Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
by default this is installed into “c:\openssl”
you now need to run this command to extract the details required to import into OpenFire
c:\openssl\bin\openssl.exe pkcs12 -in c:\mycert.pfx -out c:\outputfile.txt -nodes
(where c:\mycert.pfx is the location of the exported certificate of the previous step)
If you open up the outputfile, this contain the certificate and well at something like this:

BEGIN RSA PRIVATE KEY–-
(Block of Random Text)

END RSA PRIVATE KEY-
Step 3
Open up the <<Openfire admin url>>/import-certificate.jsp
Pass Phrase: enter the password you used when creating the Backup file in the 1st step
Private Key: enter this section from the output file (including the BEGIN and END lines):

BEGIN RSA PRIVATE KEY-
(Private Key Content)

END RSA PRIVATE KEY-
Certificate Content: enter this section from the outfile (including the BEGIN and END lines):

BEGIN CERTIFICATE-
(Certificate Content)

END CERTIFICATE—
Click Save and your certificate should now be available in Openfire.

You will now be able to communicate in openfire through a trusted TLS connection.

2

crap, for some reason when I edited the document it has html escaped the Less Than and Greater Than signs twice

Also the line spacing is wrong, all I wanted to do is help, I found that this guide gave me an idea of what I had to do but I couldn’t work out how to get a Private Key from a certificate, so I thought I would add what I did.

Sorry for stuffing up the article Chase.Caster

3

What’s the password for the keytool command. Is it defaulted to the admin user when you do in the install?

4

The keytool should prompt you for a password the first time you run it. I believe that it defaults to blank.

5

the default is ‘changeit’

(see: http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html)

6

I have only ONE suggestion for an addendum to this fine piece of documentation.

What do ya do when the certificate expires? Openfire has built in facilities for the majority of the SSL cert functions, but it has no ability to see that the certificate in question is (or is about to) expire. Better still, when it DOES expire, I currently have to delete my certificates, restart the http server (which effectively removes encrypted admin access temporarily) and then force it to generate new keys so I can go get new signed certs. If you’d like to add in an addendum to describe how one might, say, go to a CA and click the ole “Renew Certificate” button, and then get that renewed certificate imported, you will have covered the entire SSL spectrum of questions.

WHAT I’VE FOUND: The admin console has no renewal support other than what I’ve listed above. That’s a dead end. using the java keytool (CAREFUL if you’re using the RPM version, make SURE you’re using the keytool that Openfire came with. Not the one you have installed from your system JRE, or bad things can happen) refuses to allow me to import a new certificate for an existing keyset (I know, not ideal security practice, but it IS a time saver, and with CA Cert only providing certs good for 6 months, it’s reasonable). The keytool error produced is “keytool error: java.lang.Exception: Failed to establish chain from reply”. So installed a renewed certificate can’t be done by any of the usual methods that I could find.

I look forward to the replies on this. It’s been a bit of a pain for some time now.

7

This document does not work. I get “org.bouncycastle.jce.provider.JCERSAPrivateCrtKey cannot be cast to java.security.KeyPair” when I try to import the key and certificate.

8

I am using , openfire wit windows server 12, I have PFX file, and generated PEM file, and trying to give those information on the Admin module in openfire.

Pass Phrase used for creating Private Key:
Password of the certificate
Content of Private Key file:
Content of Certificate file:

There was an error one importing private key and signed certificate.

can you please help me ,

Thanks