Installing a Signed SSL Certificate For Openfire 4 on CentOS

Openfire Logo

Openfire is a real time collaboration application server written in Java.

Checking Installed Certificates

To check for the installed certificates, run the following command:

/opt/openfire/jre/bin/keytool -list -v -keystore /opt/openfire/resources/security/keystore

 

The default password is changeit

Working in Keystore Directory

Change the path to the keystore directory.
cd /opt/openfire/resources/security/keystore

Generate a Private Key

keytool -genkey -alias yourhostname.com -keysize 2048 -keyalg RSA -keystore keystore

where yourhostname.com is the hostname that you will be accessing the server from (example: example.com or yourhostname.com)

Generate a 2048 bit CSR

keytool -certreq -file sslcert -alias yourhostname.com -keysize 2048 -keyalg RSA -keystore keystore

Submit the CSR to the CA

Use the following command to open the CSR:
vi sslcert
Copy and paste the content (called CSR) and submit it to the CA to verify the CSR (Example Godaddy, Thawte, Verisign…) and Sign the SSL

Upload the Certificates

After the CA approves and sign your SSL, download the ceritificates, you should have the signed certificate as well as the root CA and trust  CA
Open the certificates you have downloaded from the CA, and open them in a text editor (like notepad or gedit).
On the server, create the signed cert, root cert and trustCA cert and paste the content from the text editor
vi rootCert
vi trustCert
vi signedCert

 

Import the SSLs in the following order:

 

keytool -import -trustcacerts -alias root -file rootCert -keystore keystore

 

keytool -import -trustcacerts -alias root_ca -file trustCert -keystore keystore

 

keytool -import -keystore keystore -alias yourhost.com -file signedCert

Delete the default old certs:

keytool -delete -keystore keystore -alias yourhost.com_rsa
keytool -delete -keystore keystore -alias yourhost.com_dsa

Restart Openfire for changes to take effects

service openfire restart

Leave a Reply

Your email address will not be published.