Sunday, July 31, 2016

Installing a Signed SSL Certificate For Openfire 4 on CentOS

Openfire Logo

Openfire is a real time collaboration application server written in Java.

Checking Installed Certificates

To check for the installed certificates, run the following command:
/opt/openfire/jre/bin/keytool -list -v -keystore /opt/openfire/resources/security/keystore

The default password is changeit

Working in Keystore Directory

Change the path to the keystore directory.
cd /opt/openfire/resources/security/keystore

Generate a Private Key

keytool -genkey -alias -keysize 2048 -keyalg RSA -keystore keystore
where is the hostname that you will be accessing the server from (example: or

Generate a 2048 bit CSR

keytool -certreq -file sslcert -alias -keysize 2048 -keyalg RSA -keystore keystore

Submit the CSR to the CA

Use the following command to open the CSR:
vi sslcert
Copy and paste the content (called CSR) and submit it to the CA to verify the CSR (Example Godaddy, Thawte, Verisign...) and Sign the SSL

Upload the Certificates

After the CA approves and sign your SSL, download the ceritificates, you should have the signed certificate as well as the root CA and trust  CA
Open the certificates you have downloaded from the CA, and open them in a text editor (like notepad or gedit).
On the server, create the signed cert, root cert and trustCA cert and paste the content from the text editor
vi rootCert
vi trustCert
vi signedCert

Import the SSLs in the following order:

keytool -import -trustcacerts -alias root -file rootCert -keystore keystore

keytool -import -trustcacerts -alias root_ca -file trustCert -keystore keystore

keytool -import -keystore keystore -alias -file signedCert

Delete the default old certs:

keytool -delete -keystore keystore -alias yourhost.com_rsa
keytool -delete -keystore keystore -alias yourhost.com_dsa

Restart Openfire for changes to take effects

service openfire restart