Configure TLS for XMPP session encapsulation

1) Go to Server Manager\System Properties\xmpp.domain and enter the full servername. In this example I’ll be using

2) Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from the openfire config not the java `keystore`).

3) On the Openfire server, change the password to the `keystore` on the openfire server:

/opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore
#enter a new password

Notes about /opt/openfire/resources/security/keystore:
This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.
Each domain name/common name is stored as an alias within the keystore.

4) Import the CA public certificate into the `keystore`:

#copy the CA public certificate to your openfire server
#import it
/opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias

5) Generate an RSA key pair that will be used to secure TLS channel to clients:

/opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias 
#note what you are entering must match the CA:
# First and last name: [Enter the name that you entered previously as the domain.  Seems weird, but it is required.]
# OU: . [as in a dot, this is okay, or you can add something else]
# Organization: [name of your organization used in the CA]
# City: [name of the city used in the CA]
# State/Province: [name of the state/province used in the CA]
# Country Code: [two letter country code used in your CA]
# accept with yes
# enter a passphrase to protect the private key
## or simply [all must match CA]
# /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias -dname ",O=Domainy\, Inc.,L=New York,ST=New York,C=US"

6) Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:

/opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias -file chat_domainy_com.csr
#enter the password for the `keystore` ou had reset earlier.
#enter the passphrase for the private key you just generated.

7) Get the certificate signed, or sign it with your own CA.
Here is a method for signing with an openssl driven CA:

#copy chat_domainy_com.csr to /root/ on your CA
scp chat_domainy_com.csr root@certauthserver:/root/
#logon to your CA
#this command invocation creates a cert that will expire in 10 years:
openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr
chmod 600 /root/ca/certs/chat_domainy_com.cer
#copy /root/ca/certs/chat_domainy_com.cer to the openfire server
scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/

8) You must edit the certificate before you import it into the `keystore`, removing everything before “—–BEGIN CERTIFICATE—–“.

9) Copy the public certificate to the openfire server and import into `keystore`:

/opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias -file /root/chat_domainy_com.cer

10) Remove the default certificates from `keystore`:

/opt/openfire/jre/bin/keytool -delete -keystore /opt/openfire/resources/security/keystore -alias rsa
/opt/openfire/jre/bin/keytool -delete -keystore /opt/openfire/resources/security/keystore -alias dsa

11) Restart openfire and access the webUI.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: