Configure SSL/TLS certificate trust for XMPP with a trusted CA (for client-to-server channel security) the non-UI (stable) way

Version 2

    1) Go to Server Manager\System Properties\xmpp.domain and enter the full servername.  In this example I'll be using chat.domainy.com

     

    2) Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from both the openfire config and the java `keystore`).

     

    3) On the Openfire server, change the password to the `keystore` on the openfire server:

    /opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore
    #enter a new password
    
    

     

    Notes about /opt/openfire/resources/security/keystore:

    This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.

    Each domain name/common name is stored as an alias within the keystore.

    4) Import the CA public certificate into the `keystore`:

    #copy the CA public certificate to your openfire server
    #import it
    /opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias ca.domainy.com
    

     

    5) Generate an RSA key pair that will be used to secure TLS channel to clients:

    /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com 
    #note what you are entering must match the CA:
    # First and last name: chat.domainy.com [Enter the name that you entered previously as the domain.  Seems weird, but it is required.]
    # OU: . [as in a dot, this is okay, or you can add something else]
    # Organization: [name of your organization used in the CA]
    # City: [name of the city used in the CA]
    # State/Province: [name of the state/province used in the CA]
    # Country Code: [two letter country code used in your CA]
    # accept with yes
    # enter a passphrase to protect the private key
    ## or simply [all must match CA]
    # /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com -dname "CN=chat.domainy.com,O=Domainy\, Inc.,L=New York,ST=New York,C=US"
    

     

    6) Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:

    /opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file chat_domainy_com.csr
    #enter the password for the `keystore` ou had reset earlier.
    #enter the passphrase for the private key you just generated.
    

     

    7) Get the certificate signed, or sign it with your own CA.

    Here is a method for signing with an openssl driven CA:

    #copy chat_domainy_com.csr to /root/ on your CA
    scp chat_domainy_com.csr root@certauthserver:/root/
    #logon to your CA
    #this command invocation creates a cert that will expire in 10 years:
    openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr
    chmod 600 /root/ca/certs/chat_domainy_com.cer
    #copy /root/ca/certs/chat_domainy_com.cer to the openfire server
    scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/
    

     

    8) You must edit the certificate before you import it into the `keystore`, removing everything before "-----BEGIN CERTIFICATE-----".

     

    9) Copy the public certificate to the openfire server and import into `keystore`:

    /opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file /root/chat_domainy_com.cer
    

     

    10) Restart openfire and access the webUI.

     

    See this thread for questions about the CA cert being listed as Pending Approval, but the signed cert being CA Signed: http://community.igniterealtime.org/message/233817#233817