The Airship Blog

How to Import a GoDaddy SSL Certificate to an Openfire XMPP Server

Written by Adam Aldrich | Oct 10, 2017 5:00:00 AM
I recently had to update the SSL Certificate on an Openfire XMPP Server running on Digital Ocean. I thought this would be very straightforward, but after 2 days of fighting with it and digging through the terrible documentation, I finally figured it out. I thought I would share my experiences to save others the hassle of getting this going.

Versions

  • This was done on Openfire version 3.10.2
  • Running Java 1.7.0_79 Oracle Corporation -- OpenJDK 64-Bit Server VM
  • The server is on Digital Ocean running Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-52-generic x86_64)

Steps

1. SSH into your machine where Openfire is running 2. Stop the Openfire service
service openfire stop
3. Create a Private key
openssl genrsa -out new.private.key 2048
4. Generate a CSR from the Private key you just generated
openssl req -out new.csr -key new.private.key -new

a. Answer the Challenge Questions

- Country Name: Your Country, i.e. United States

- State or Province Name: Your State, i.e. AL

- Locality Name: Your City, i.e. Birmingham

- Organization Name: Legal name of your company, i.e. Airship

- Organizational Unit Name: Can be anything - I usually put something like IT

- Common Name: This needs to match the SSL certificate, i.e. teamairship.com

- Email Address: Your email address

- Challenge Password: Leave Blank

- Optional Company Name: Leave Blank

5. Login to Godaddy and submit the CSR to them. Once you get approved you will be able to download the certificates. 6. Download the files from Godaddy. Choose the Other option for Server Type.

- Unzip the contents. There will be 2 files in there, the one we need will have a hash and end with .crt — Example: 1f059b012bf01cf.crt

7. Start Openfire server
service openfire start
8. Open the admin console and go to the server certificates and choose the import option or just go to the URL http://yourdomain:port/import-certificate.jsp

a. Enter the passphrase you used when generating the private key — default is “changeit”

b. In the Content of Private Key file section, enter the contents of the private.key

- You can get the contents by running

cat private.key

c. In the Content of Certificate file section, enter the contents of the public key you got from Godaddy — Example: 1f059b012bf01cf.crt

- You can get the contents by running

cat 1f059b012bf01cf.crt

d. Submit and you should now see your certificate listed

9. Restart the Openfire service
service openfire restart
10. You should now have the new certificate running, you can check by going to https://yourdomain:port and ensuring you can log in.

a. Note: It might still say “One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.” You can just ignore this, it isn't hurting anything.

11. Backup the keys (Optional)

a. Open another terminal session

b. Move the files new.private.key, new.csr and 1f059b012bf01cf.crt to the /ssl_certificates/current/year directory

c. Copy the files from the XMPP server into the /ssl_certificates/current

scp -p root@yourserver:~/ssl_certificates/current/* ssl_certificates/current/

d. Copy any of the files you downloaded from Godaddy as well

e. You should end up with the following files in the /ssl_certificates/current directory

- new.csr

- new.private.key

- gd_bundle-g2-g1.crt

- Public certificate from Godaddy — Example: 1f059b012bf01cf.crt

Conclusion

Hopefully, this helps others that were struggling with how to get the SSL certificate imported correctly. Openfire has an official document for setting up SSL. However, it didn't work for me. If this doesn't work for your version, you might want to read the official Openfire documentation.

References

Openfire Openfire SSL Guide