Versions
- This was done on Openfire version 3.10.2
- Running Java 1.7.0_79 Oracle Corporation -- OpenJDK 64-Bit Server VM
- The server is on Digital Ocean running Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-52-generic x86_64)
Steps
1. SSH into your machine where Openfire is running 2. Stop the Openfire serviceservice openfire stop3. Create a Private key
openssl genrsa -out new.private.key 20484. Generate a CSR from the Private key you just generated
openssl req -out new.csr -key new.private.key -new
a. Answer the Challenge Questions
- Country Name: Your Country, i.e. United States
- State or Province Name: Your State, i.e. AL
- Locality Name: Your City, i.e. Birmingham
- Organization Name: Legal name of your company, i.e. Airship
- Organizational Unit Name: Can be anything - I usually put something like IT
- Common Name: This needs to match the SSL certificate, i.e. teamairship.com
- Email Address: Your email address
- Challenge Password: Leave Blank
- Optional Company Name: Leave Blank
5. Login to Godaddy and submit the CSR to them. Once you get approved you will be able to download the certificates. 6. Download the files from Godaddy. Choose the Other option for Server Type.- Unzip the contents. There will be 2 files in there, the one we need will have a hash and end with .crt — Example: 1f059b012bf01cf.crt
7. Start Openfire serverservice openfire start8. Open the admin console and go to the server certificates and choose the import option or just go to the URL http://yourdomain:port/import-certificate.jsp
a. Enter the passphrase you used when generating the private key — default is “changeit”
b. In the Content of Private Key file section, enter the contents of the private.key
- You can get the contents by running
cat private.key
c. In the Content of Certificate file section, enter the contents of the public key you got from Godaddy — Example: 1f059b012bf01cf.crt
- You can get the contents by running
cat 1f059b012bf01cf.crt
d. Submit and you should now see your certificate listed
9. Restart the Openfire service
service openfire restart10. You should now have the new certificate running, you can check by going to https://yourdomain:port and ensuring you can log in.
a. Note: It might still say “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” You can just ignore this, it isn't hurting anything.
11. Backup the keys (Optional)a. Open another terminal session
b. Move the files new.private.key, new.csr and 1f059b012bf01cf.crt to the /ssl_certificates/current/year directory
c. Copy the files from the XMPP server into the /ssl_certificates/current
scp -p root@yourserver:~/ssl_certificates/current/* ssl_certificates/current/
d. Copy any of the files you downloaded from Godaddy as well
e. You should end up with the following files in the /ssl_certificates/current directory
- new.csr
- new.private.key
- gd_bundle-g2-g1.crt
- Public certificate from Godaddy — Example: 1f059b012bf01cf.crt
Conclusion
Hopefully, this helps others that were struggling with how to get the SSL certificate imported correctly. Openfire has an official document for setting up SSL. However, it didn't work for me. If this doesn't work for your version, you might want to read the official Openfire documentation.References
Openfire Openfire SSL Guide
