Openfire: use your 3rd-party, signed SSL cert

PLEASE LET ME KNOW IF YOU HAVE FIXES FOR THIS WITH LATEST VERSIONS
  1. default keytool password is "changeit"
    1. use it for all password prompts
    2. works 99%
    3. if it doesn't work, ask around, poke around
  2. Get keytool command in your PATH
  3. Use Openfire's web interface to "generate self-signed certificates"
    1. NOTE: "import a signed certificate and its private key"
      1. broken
        1. says certs were loaded in green, but shows no result in "Server Certificates" list
      2. whole reason for this post
  4. find existing keystores on your chat server
    1. nice updatedb
    2. locate keystore
    3. locate truststore
    4. here, we'll assume /opt/openfire/resources/security
  5. list the "domain" Openfire used for the "generate self-signed certificates" action above
    1. keytool -list -v -keystore /opt/openfire/resources/security/keystore | grep rsa
      1. e.g.: Alias name: my.domain.com_rsa
    2. remember this for a later step
  6. load your CAs root cert into the truststore
    1. first, see if it is there
      1. keytool -list -v -keystore /opt/openfire/resources/security/truststore | grep "Issuer:"
    2. if not, download it from your CA, and
      1. keytool -import -alias myCAsRootCertAlias -file myCAsRootCert.crt -keystore /opt/openfire/resources/security/truststore
      2. verify
  7. create a p12 with your key, cert and CA's cert
    1. openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out myP12.p12 -name my.domain.com_rsa -CAfile myCAsCert.crt -caname root
  8. dump it to a new keystore
    1. keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore mykeystore -srckeystore myP12.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias my.domain.com_rsa
  9. cp -v /opt/openfire/resources/security/keystore /opt/openfire/resources/security/keystore_2013xxyy
  10. cp -v mykeystore /opt/openfire/resources/security/keystore
  11. restart openfire

Comments

Popular posts from this blog

Openvpn and unbound combined break dig command

Stress Linux system: stress-ng

Google Nexus 4: permanent back panel glass repair for less than a penny