Installing an SSL cert for openfire

The self-signed SSL certificates generated during the installation of the Openfire XMPP server are sufficient for most purposes, but a certificate signed by a commercial or internal private CA provides greater flexibility. For example, web applications using Openfire’s BOSH service.

SPECIAL NOTES:

1. This procedure was successfully tested on Openfire 3.10.0 Beta with Oracle’s Java SE (both 1.8.0_31 and 1.7.0_75). When tried with the open source OpenJDK 1.8.0_31 HTTPS connections would fail with a reset error. This may be due to a dependency in some proprietary feature in Oracle’s distribution. Under Openfire 3.9.3 attempts to import a new key and cert would result in the error message, “There was an error one importing private key and signed certificate. Error message: Failed to establish chain from reply”. This could be due to deprecated code in the older Bouncycastle crypto libraries that ship with 3.9.3.

2. A bug continues to persist in Igniterealtime’s Spark client that prevents it from connecting if the certificate for a server changes. Once Spark connects to an Openfire server that uses a self-signed certificate, it cannot later be used to connect to the same server after a public cert is imported. This appears to be a problem with cert management by Spark. Although I’ve looked, I have yet to determine where Spark stores accepted certificates.

To begin, add the following properties and values to the System Properties page. When saving make sure the “Do not encrypt” radio button is selected.

xmpp.socket.ssl.storeType: JKS
xmpp.socket.ssl.keystore: resources/security/keystore

The keystore location is relative to $OPENFIRE_HOME, not the full path (e.g. /usr/local/openfire…). Restart openfire after making this change.

Next, your CA’s root and any intermediate certificates need to be added to Openfire’s truststore ($OPENFIRE_HOME/resources/security/truststore). This can be done using the Java keytool, or a graphical editor like keystore-explorer. Restart openfire when finished.

Once that is done we need to create an x509 key and certificate request.

openssl req -nodes -new -sha256 -keyout chat.example.com.key -out chat.example.com.req

When replying to the prompts, be sure to include (or not include) a certificate password if required by your CA.

With the request generated, use your CA’s submission mechanism to obtain a signed certificate. If using your own internal CA, this could be done as follows:

openssl ca -out www.mydomain.com.crt -in www.mydomain.com.req

Armed with the signed cert, sign in to Openfire’s admin console and go to Server Settings… Server Certificates, then click on the link to import your new certificate and key.

Before importing the key, it needs to be converted to RSA format. To do that, use this command.

openssl rsa -in chat.example.com.crt -out chat.example.com.rsacrt

Be sure to put the key password in the first window (if the key does not have a password, type a few characters of text there anyway). Then copy the text from the key and cert files, including the BEGIN and END tags, into the approprate windows. Finally, hit the Save button to complete the import.

Once the key and cert are imported Openfire’s web server will restart. After signing back into the console, go back to the certificate page and delete the old self-signed certs. The web server will restart once more and the new CA signed cert will now be effective.

This entry was posted in Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).