Configure SSL/TLS certificate trust for XMPP with a trusted CA (for client-to-server channel security) the non-UI (stable) way

Version 2

    1) Go to Server Manager\System Properties\xmpp.domain and enter the full servername.  In this example I'll be using


    2) Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from both the openfire config and the java `keystore`).


    3) On the Openfire server, change the password to the `keystore` on the openfire server:

    /opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore
    #enter a new password


    Notes about /opt/openfire/resources/security/keystore:

    This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.

    Each domain name/common name is stored as an alias within the keystore.

    4) Import the CA public certificate into the `keystore`:

    #copy the CA public certificate to your openfire server
    #import it
    /opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias


    5) Generate an RSA key pair that will be used to secure TLS channel to clients:

    /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias 
    #note what you are entering must match the CA:
    # First and last name: [Enter the name that you entered previously as the domain.  Seems weird, but it is required.]
    # OU: . [as in a dot, this is okay, or you can add something else]
    # Organization: [name of your organization used in the CA]
    # City: [name of the city used in the CA]
    # State/Province: [name of the state/province used in the CA]
    # Country Code: [two letter country code used in your CA]
    # accept with yes
    # enter a passphrase to protect the private key
    ## or simply [all must match CA]
    # /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias -dname ",O=Domainy\, Inc.,L=New York,ST=New York,C=US"


    6) Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:

    /opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias -file chat_domainy_com.csr
    #enter the password for the `keystore` ou had reset earlier.
    #enter the passphrase for the private key you just generated.


    7) Get the certificate signed, or sign it with your own CA.

    Here is a method for signing with an openssl driven CA:

    #copy chat_domainy_com.csr to /root/ on your CA
    scp chat_domainy_com.csr root@certauthserver:/root/
    #logon to your CA
    #this command invocation creates a cert that will expire in 10 years:
    openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr
    chmod 600 /root/ca/certs/chat_domainy_com.cer
    #copy /root/ca/certs/chat_domainy_com.cer to the openfire server
    scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/


    8) You must edit the certificate before you import it into the `keystore`, removing everything before "-----BEGIN CERTIFICATE-----".


    9) Copy the public certificate to the openfire server and import into `keystore`:

    /opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias -file /root/chat_domainy_com.cer


    10) Restart openfire and access the webUI.


    See this thread for questions about the CA cert being listed as Pending Approval, but the signed cert being CA Signed: