Configure TLS for XMPP session encapsulation
1) Go to Server Manager\System Properties\xmpp.domain and enter the full servername. In this example I’ll be using chat.domainy.com
2) Go to Server Manager\Server Certificates: delete both listed certificates and restart the HTTP server (which deletes them from the openfire config not the java `keystore`).
3) On the Openfire server, change the password to the `keystore` on the openfire server:
/opt/openfire/jre/bin/keytool -storepass changeit -storepasswd -keystore /opt/openfire/resources/security/keystore #enter a new password
Notes about /opt/openfire/resources/security/keystore:
This key store contains private/public key pair used for the admin console, XMPP and SIP TLS.
Each domain name/common name is stored as an alias within the keystore.
4) Import the CA public certificate into the `keystore`:
#copy the CA public certificate to your openfire server #import it /opt/openfire/jre/bin/keytool -trustcacerts -import -keystore /opt/openfire/resources/security/keystore -file CA.cer -alias ca.domainy.com
5) Generate an RSA key pair that will be used to secure TLS channel to clients:
/opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com #note what you are entering must match the CA: # First and last name: chat.domainy.com [Enter the name that you entered previously as the domain. Seems weird, but it is required.] # OU: . [as in a dot, this is okay, or you can add something else] # Organization: [name of your organization used in the CA] # City: [name of the city used in the CA] # State/Province: [name of the state/province used in the CA] # Country Code: [two letter country code used in your CA] # accept with yes # enter a passphrase to protect the private key ## or simply [all must match CA] # /opt/openfire/jre/bin/keytool -genkey -keystore /opt/openfire/resources/security/keystore -keyalg RSA -keysize 4096 -alias chat.domainy.com -dname "CN=chat.domainy.com,O=Domainy\, Inc.,L=New York,ST=New York,C=US"
6) Create the certificate signing request (CSR) for the RSA key pair to be signed by your CA:
/opt/openfire/jre/bin/keytool -certreq -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file chat_domainy_com.csr #enter the password for the `keystore` ou had reset earlier. #enter the passphrase for the private key you just generated.
7) Get the certificate signed, or sign it with your own CA.
Here is a method for signing with an openssl driven CA:
#copy chat_domainy_com.csr to /root/ on your CA scp chat_domainy_com.csr root@certauthserver:/root/ #logon to your CA #this command invocation creates a cert that will expire in 10 years: openssl ca -policy policy_anything -days 3650 -extfile /root/ca/opensslx509.conf -out /root/ca/certs/chat_domainy_com.cer -in /root/chat_domainy_com.csr chmod 600 /root/ca/certs/chat_domainy_com.cer #copy /root/ca/certs/chat_domainy_com.cer to the openfire server scp /root/ca/certs/chat_domainy_com.cer root@chat:/root/
8) You must edit the certificate before you import it into the `keystore`, removing everything before “—–BEGIN CERTIFICATE—–“.
9) Copy the public certificate to the openfire server and import into `keystore`:
/opt/openfire/jre/bin/keytool -import -keystore /opt/openfire/resources/security/keystore -alias chat.domainy.com -file /root/chat_domainy_com.cer
10) Remove the default certificates from `keystore`:
/opt/openfire/jre/bin/keytool -delete -keystore /opt/openfire/resources/security/keystore -alias rsa /opt/openfire/jre/bin/keytool -delete -keystore /opt/openfire/resources/security/keystore -alias dsa
11) Restart openfire and access the webUI.