Sunday, July 31, 2016

Installing a Signed SSL Certificate For Openfire 4 on CentOS

Openfire Logo


Openfire is a real time collaboration application server written in Java.

Checking Installed Certificates

To check for the installed certificates, run the following command:
/opt/openfire/jre/bin/keytool -list -v -keystore /opt/openfire/resources/security/keystore


The default password is changeit

Working in Keystore Directory

Change the path to the keystore directory.
cd /opt/openfire/resources/security/keystore


Generate a Private Key

keytool -genkey -alias yourhostname.com -keysize 2048 -keyalg RSA -keystore keystore
where yourhostname.com is the hostname that you will be accessing the server from (example: example.com or yourhostname.com)

Generate a 2048 bit CSR

keytool -certreq -file sslcert -alias yourhostname.com -keysize 2048 -keyalg RSA -keystore keystore


Submit the CSR to the CA

Use the following command to open the CSR:
vi sslcert
Copy and paste the content (called CSR) and submit it to the CA to verify the CSR (Example Godaddy, Thawte, Verisign...) and Sign the SSL

Upload the Certificates

After the CA approves and sign your SSL, download the ceritificates, you should have the signed certificate as well as the root CA and trust  CA
Open the certificates you have downloaded from the CA, and open them in a text editor (like notepad or gedit).
On the server, create the signed cert, root cert and trustCA cert and paste the content from the text editor
vi rootCert
vi trustCert
vi signedCert

Import the SSLs in the following order:


keytool -import -trustcacerts -alias root -file rootCert -keystore keystore

keytool -import -trustcacerts -alias root_ca -file trustCert -keystore keystore

keytool -import -keystore keystore -alias yourhost.com -file signedCert


Delete the default old certs:

keytool -delete -keystore keystore -alias yourhost.com_rsa
keytool -delete -keystore keystore -alias yourhost.com_dsa


Restart Openfire for changes to take effects

service openfire restart