Import SSL certificate in Openfire running on Windows Server 2008

I am running an Openfire server on Windows Server 2008 and need to import a SSL certificate on the server. The certificate which I need to import is already configured on a domain on IIS. The certificate which I am using is provided by Go Daddy. The first major issue which I have faced while importing is the Private Key and Certificate file not being available separately. The reason behind this is that the private key is not returned to the user while creating a CSR with the IIS. To extract the private key I need to export the certificate and then convert it into PEM format which contains both the private key and the certificate but this solution is not that much useable as I explain below.

I have tried various methods but I have had no success.

First I have tried following the SSL Guide provided by Openfire on the following URL:

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html

I was able to successfully import a certificate using the above guide. After that I restarted the server and checked the Server certificates in the Openfire Admin Panel but I got the following error:

Unable to access certificate store. The keystore may be corrupt.

Later on I realized that the error was due to the fact that the certificate which I imported did not have private key with it.

Then I did some more research and went through the following post:

http://community.igniterealtime.org/docs/DOC-1243

This guide had a specific step 4a which was relevant to my situation. It informed me to use OpenSSL to convert the PFX file to PEM and then use the import-certificate.jsp page to import the certificate. I provided the relative informatoin after extratcting it from the PEM file but I got the following error:

There was an error one importing private key and signed certificate.

I searched the above error online but did not find anything specific which could pin point to what the problem is. Right now I am stuck for the past 1 week on this and have not found anything which could give me an exact answer to where I am going wrong. Any help would be great. Thanks in advance.*
*

Hey Umer Jaffer,

Did you ever got a solution to this problem? I’m having a similar problem with my openfire server running on windows 2008. Differences is that I have a wildcard SSL from GeoTrust.

I also followed the community guide to get it imported but I got this error:

There was an error one importing private key and signed certificate. Error message: org.bouncycastle.jce.provider.JCERSAPrivateCrtKey cannot be cast to java.security.KeyPair

Its not my intent to abuse on your post, just trying to know if you solved it since its pretty recent.

Actually the error that you get, I got it when removing the:

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

From both, the private key and the certificate.

I have same issue with Openfire 3.8.1 at Ubuntu 12.04.2 LTS. Certificate by StartCom

Hi everyone,

I have solved this puzzle today.

What I had:

  1. A signed certificate, including the private key, exported from an IIS webserver in .pfx format
  2. Default openfire files / keystores (version 3_8_2)

What I needed to get it to work:

  1. The Java Development Kit (Java SE 7u21 JDK), found here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
  2. The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7, found on the same page (needed for very strong certs, maybe not always necessary)

Steps to get it to work:

  1. I took the keytool.exe in C:\Program Files (x86)\Java\jdk1.7.0_21\bin and copied it to openfire\resources\security for easier testing
  2. Replace the default java Cryptography Extension files with the ones from the second download
    (for example in C:\Program Files (x86)\Java\jre7\lib\security)
  3. Find out the certificate alias within the pfx file by executing the following command:
    keytool.exe -list -storetype pkcs12 -keystore “path\to\your\keystore.pfx”
    (You have to enter the export password. The alias looks usually somewhat like this: “le-f4asdf53-e12f-4as2-8901-e7asdfgf86b4”)
  4. Execute the following command (in openfire\resources\security) (of course you have to adjust it to your environment):
    keytool.exe -importkeystore -srckeystore “path\to\your\keystore.pfx” -destkeystore “path\to\your\openfire\resources\security\keystore” -srcstoretype pkcs12 -deststoretype JKS -srcstorepass “” -deststorepass “changeit” -srcalias “<certificate alias from step 3>” -destalias “yourdomain.com_rsa” -destkeypass “changeit”

Troubleshooting:

  • Listing the certificates currently in the keystore: “keytool.exe -list -keystore keystore”
  • Deleting one of them: “keytool.exe -delete -keystore keystore -alias blabla.com_rsa”

Pitfalls:

  • If you import the certificate/key without the “-destkeypass” argument, the store gets “corrupted” for openfire, because the store password then does not match the key password within the store (weired!).
  • You can not use the -deskeypass argument without also knowing the -srcalias, which makes step 3 necessary.
  • Some Clients (in my case jitsi) don’t accept the certificate in some modes. Switching the client back from the Windows keystore to the java keystore helped in my case (Advanced Settings --> TLS Configuration --> Root CA Keystore --> set to Java) (it is the default setting afaik).

I think this is one of the best methods possible.

If it does not work, please reply. Maybe I have forgotten to mention something.

Best Regards,

Jan

Added another pitfall

Got exactly the same error with a new ca-valid cert.

Problem was the format of the private key pem file :

In the PEM file, i got :

-----BEGIN PRIVATE KEY-----

instead of :

-----BEGIN RSA PRIVATE KEY-----

(diff from my old cert which was perfectly handled by openfire)

So, i had to convert my key file with OpenSSL :

openssl rsa -in privatekey.key -check

and paste the result to openfire.

Cert and intermediate certs go to the next field, in pem format, without any conversion.

That’s worked for me.