BLOG

Last week, I was up to configure well known and successful Openfire jabber server with valid SSL certificate configuration. Initially I have had hard times trying to do it according to many howtos and forums accessible using google, none of which worked. Each of them referenced manipulation of java SSL keystore directly with keytool.

It did not work. It was waste of time. And if after many attempts all seemed good, asterisk throwed java exceptions, when accessing certificate management functionality of Openfire administration interface.

Despite all these troubles, setup of SSL certificates with asterisk is in fact very simple.

First, login to the administration web interface, enter within same browser session following URL in your browser:

http://localhost:9090/import-certificate.jsp

or

https://localhost:9091/import-certificate.jsp
(Replace localhost with your Openfire server’s IP address or hostname).

Then, log in to asterisk machine via ssh and find keystore files (usually found at /etc/openfire/security/keystore).

Then list certificates present in this keystore file (it usualy contains self-signed certificate created at openfire installation):

#keytool -list -keystore keystore

This will issue output similar to following:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

jabber.yourdomain.com, Oct 10, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 1C:F3:70:A7:49:F2:6E:13:B7:33:53:D2:5A:97:B9:0A
Next, delete this current certificate (or all of them) using alias name printed out:

#keytool -delete -keystore keystore -alias jabber.yourdomain.com

Provide password for your keystore, by default it is ‘changeit’ word.

After #keytool -list -keystore keystore command shows no more keys in your keystore,

After, return back to Openfire administration web console to the /import-certificate.jsp location opened before, which is by the way not accessible directly from any Openfire administration web console menu. It should look like following screenshot:

Paster private SSL key to be used with Openfire in first large input box, put your signed certificate in second large box and in case your private key is password protected, enter password in private key password field.

Press save and from now on your Openfire installation should be using SSL certificate signed by renowned SSL CA authority. (We recommend StartSSL for hobby projects).

I hope this can save lots of time to any people trying to get signed SSL certificate working with Openfire jabber server so no one would repeat all the painful and time-consuming steps I took myself.