I have a SSL certificate generated by StartSSL, however I cannot get openfire to accept my certificate!
I generated a OpenSSL private key, used that to generate a CSR and sent that to the guys at startssl.com. They issued me with a certificate (ssl.crt) and linked to their root (ca.pem) and intermediate (sub.class1.server.ca.pem) certificate.
I tried adding the ssl.crt and my private key to the page at http://server:9090/import-certificate.jsp, however I’m constantly encountering an error stating: “There was an error one importing private key and signed certificate.”
It used to state “Failed to establish chain from reply” but after attempting to store the ca.pem and sub.class1.server.ca.pem files in the truststore at /usr/share/resources/security/truststore (keytool -import -keystore truststore -alias securecert -file /home/username/keys/ca.pem for example), it’s shortened the error message tothe more generic message above.
I’m totally confused as to why this wouldn’t work, any ideas? Cheers…
Nah, I’m still in the same place as when I started. I think I’ve ruined the keystore/truststore files, so am looking at a reinstall anyway. Will still need a hand though. Is there any step-by-step guides?
I’m on the 3.6.4 branch, but might try the latest 3.7.0 trunk when I reinstall. Just trying to get the debian package maker to behave under OSX!
For OpenFire users on Unix/Linux, these are the instructions I spent about 5 hours trying to find out.
1 Open terminal.
2 Go into the root user. (sudo -s/su)
3 change your directory to /resources/security/ (cd /usr/local/openfire/resources/security/)
4 Download Notice to all StartCom subscribers and http://www.startssl.com/certs/sub.class1.server.ca.crt and place them some were it is easy to access, I put mine in the root of my hard drive.
5 Run these commands in your terminal session
6 Restart your openfire server, on mac you go into the system preferences and choose the openfire panel.
7 Visit your servers control panel, http://localhost:9090/, and go into the server settings tab and the Server Certificates menu.
8 Delete the self signed certificates.
9 Click on the import link.
10 Place your key’s password, key, and certificate in the right fields and your done.
Note: it may say “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” Just ignore that, it’ll still work.
Hope this helps someone else, and also me when I need to go through this again.
Mr. Gecko.
There were a few additional things I had to do, however.
If you get an error between Steps 7 and 8, or 8 and 9, do the following:
Log into your server
Go to the Server Manager
Go to Server Properties
Add the following:
xmpp.socket.ssl.active
true
xmpp.socket.ssl.keypass
changeit
xmpp.socket.ssl.keystore
resources/security/keystore
xmpp.socket.ssl.port
5223
xmpp.socket.ssl.storeType
JKS
Once you add those, restart your server. Then go do steps 6+. Once it is able to locate the proper repository/permissions, it will allow you to delete the temp keys, and import your own.
DO NOT import the unencrypted key. Enter your passphrase that StarCom made you enter when encrypting your key. Then paste in the ENCRYPTED key, and your ssl.crt certificate. Once you do that, you can press submit, and all should be fine.
I am leaving this in case it is of value but first try the method in my reply to this post!
I have been having this same issue and it took me all day to finally get it working. I have a digicert wildcard certificate and it has been a huge pain to get it into Openfire. Even though this isn’t StartSSL specific you should be able to modify it to apply to you.
Drop to the command prompt and use keytool to import ALL the intermediate certificates in the chain needed to validate your certificate. In my case there was my certificate, 2 DigiCert certificates then an Entrust Root CA. I had to to import the two DigiCert ones into the keystore.
Don’t try to go to the certificates page since it will just throw an error that one of the keys isn’t a private key. That is why you have to go to the bookmarked import page. Enter your passphrase, existing key and certificate. Mine were the text I used in an Apache install.
If it didn’t work when you submit you should get the red text with the error like couldn’t verify the chain, bad passphrase, etc. If it did work then you will go back to the certificates page which has the private key error. No need to worry, you should see import=success in the URL.
Now that it is there you can clean things up by going back to the command prompt and deleting the intermediate certificates and the default self-signed ones
Restart Openfire again and now the certificates screen should work properly and you will see your CA signed cert.
Massive PITA but I finally got it working. Of course my client of choice is Pidgin which doesn’t use the system root CAs so even though I verified it was getting the correct cert it is still prompting the user to accept since because the stupid Digicert intermediate cert isn’t in Pidgin. I tried leaving the digicert certs in the keystore in the hopes that they would get passed down like my web servers do but it didn’t work.
Hopefully those of you who aren’t using pidgin or have the intermediate certs in your clients will find some value in this.
Wouldn’t you know that I would find the EASY way to do it after I go through all that hassle then write it up for the forums. Here is the link so credit can be given where it is due:
The jist of it is that all you have to do is put the text of you intermediate certs in the cert import box along with the text of your cert. Doesn’t solve my pidgin issue but it makes the process SO much easier.