- default keytool password is "changeit"
- use it for all password prompts
- works 99%
- if it doesn't work, ask around, poke around
- Get keytool command in your PATH
- Use Openfire's web interface to "generate self-signed certificates"
- NOTE: "import a signed certificate and its private key"
- broken
- says certs were loaded in green, but shows no result in "Server Certificates" list
- whole reason for this post
- find existing keystores on your chat server
- nice updatedb
- locate keystore
- locate truststore
- here, we'll assume /opt/openfire/resources/security
- list the "domain" Openfire used for the "generate self-signed certificates" action above
- keytool -list -v -keystore /opt/openfire/resources/security/keystore | grep rsa
- e.g.: Alias name: my.domain.com_rsa
- remember this for a later step
- load your CAs root cert into the truststore
- first, see if it is there
- keytool -list -v -keystore /opt/openfire/resources/security/truststore | grep "Issuer:"
- if not, download it from your CA, and
- keytool -import -alias myCAsRootCertAlias -file myCAsRootCert.crt -keystore /opt/openfire/resources/security/truststore
- verify
- create a p12 with your key, cert and CA's cert
- openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out myP12.p12 -name my.domain.com_rsa -CAfile myCAsCert.crt -caname root
- dump it to a new keystore
- keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore mykeystore -srckeystore myP12.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias my.domain.com_rsa
- cp -v /opt/openfire/resources/security/keystore /opt/openfire/resources/security/keystore_2013xxyy
- cp -v mykeystore /opt/openfire/resources/security/keystore
- restart openfire
Friday, 3 May 2013
Openfire: use your 3rd-party, signed SSL cert
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: only a member of this blog may post a comment.