Configure TLS for client authentication


Not ready for prime time on Windows yet? http://lists.jitsi.org/pipermail/users/2013-November/005629.html

1) Change the password to the `truststore` on the openfire server:

/opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/truststore
#enter a new password

/opt/openfire/resources/security/truststore
This key store contains private/public key pair used for TLS user authentication.
Each domain name/common name is stored as an alias within the keystore.

2) Find a client that supports client authentication using certificates (here’s a few: jitsi, pidgin, swift, gajim).

3) Import the CA public certificate into the `keystore`:

on linux:

#copy the CA public certificate to your openfire server
#import it
/opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/truststore -file CA.cer -alias ca.domainy.com

on windows:

#copy the CA public certificate to your openfire server
#import it
"C:\Program Files\Java\jre7\bin\keytool.EXE" -trustcacerts -import -keystore %homedrive%%HOMEPATH%\.jitsi.keytool -file CA.cer -alias ca.domainy.com

4) Generate a keystore and an RSA keypair for the client on the client:

Here is an example on linux:

/opt/openfire/jre/bin/keytool -genkey -keystore ~/.jitsi.keytool -keyalg RSA -keysize 4096 -alias jitsi1 -dname 'CN=dummy@chat.domainy.com'

Here is an example on windows:

"C:\Program Files\Java\jre7\bin\keytool.EXE" -genkey -keystore %homedrive%%HOMEPATH%\.jitsi.keytool -keyalg RSA -keysize 4096 -alias jitsiuser_dummy_chat_domainy -dname "CN=dummy@chat.domainy.com" 

5) Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:
On linux:

/opt/openfire/jre/bin/keytool -certreq -keystore ~/.jitsi.keytool -alias jitsiuser_dummy_chat_domainy -file jitsiuser_dummy_chat_domainy.csr
#enter the password for the `keystore` ou had reset earlier.
#enter the passphrase for the private key you just generated.

On windows:

"C:\Program Files\Java\jre7\bin\keytool.EXE" -certreq -keystore %homedrive%%HOMEPATH%\.jitsi.keytool -alias jitsiuser_dummy_chat_domainy -file jitsiuser_dummy_chat_domainy.csr

6) Get the certificate signed, or sign it with your own CA.

Here is a method for signing with an openssl driven CA:

#copy jitsiuser_dummy_chat_domainy.csr to /root/ on your CA
scp jitsiuser_dummy_chat_domainy.csr root@certauthserver:/root/
#logon to your CA
#this command invocation creates a cert that will expire in 10 years:
openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/jitsiuser_dummy_chat_domainy.cer -in /root/jitsiuser_dummy_chat_domainy.csr
chmod 600 /root/ca/certs/jitsiuser_dummy_chat_domainy.cer
#copy /root/ca/certs/chat_domainy_com.cer to the openfire server
scp /root/ca/certs/jitsiuser_dummy_chat_domainy.cer root@chat:/root/

7) Copy the public signed certificate to the client and import into `.jitsi.keytool`:

on linux:

/opt/openfire/jre/bin/keytool -import -keystore ~/.jitsi.keytool -alias jitsiuser_dummy_chat_domainy -file /root/jitsiuser_dummy_chat_domainy.cer

on windows:

"C:\Program Files\Java\jre7\bin\keytool.EXE" -import -keystore %homedrive%%HOMEPATH%\.jitsi.keytool -alias jitsiuser_dummy_chat_domainy -file jitsiuser_dummy_chat_domainy.cer
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: