Hi everyone,
I have solved this puzzle today.
What I had:
- A signed certificate, including the private key, exported from an IIS webserver in .pfx format
- Default openfire files / keystores (version 3_8_2)
What I needed to get it to work:
- The Java Development Kit (Java SE 7u21 JDK), found here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
- The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7, found on the same page (needed for very strong certs, maybe not always necessary)
Steps to get it to work:
- I took the keytool.exe in C:\Program Files (x86)\Java\jdk1.7.0_21\bin and copied it to openfire\resources\security for easier testing
- Replace the default java Cryptography Extension files with the ones from the second download
(for example in C:\Program Files (x86)\Java\jre7\lib\security) - Find out the certificate alias within the pfx file by executing the following command:
keytool.exe -list -storetype pkcs12 -keystore "path\to\your\keystore.pfx"
(You have to enter the export password. The alias looks usually somewhat like this: "le-f4asdf53-e12f-4as2-8901-e7asdfgf86b4") - Execute the following command (in openfire\resources\security) (of course you have to adjust it to your environment):
keytool.exe -importkeystore -srckeystore "path\to\your\keystore.pfx" -destkeystore "path\to\your\openfire\resources\security\keystore" -srcstoretype pkcs12 -deststoretype JKS -srcstorepass "<The password you used to export the PFX>" -deststorepass "changeit" -srcalias "<certificate alias from step 3>" -destalias "yourdomain.com_rsa" -destkeypass "changeit"
Troubleshooting:
- Listing the certificates currently in the keystore: "keytool.exe -list -keystore keystore"
- Deleting one of them: "keytool.exe -delete -keystore keystore -alias blabla.com_rsa"
Pitfalls:
- If you import the certificate/key without the "-destkeypass" argument, the store gets "corrupted" for openfire, because the store password then does not match the key password within the store (weired!).
- You can not use the -deskeypass argument without also knowing the -srcalias, which makes step 3 necessary.
- Some Clients (in my case jitsi) don't accept the certificate in some modes. Switching the client back from the Windows keystore to the java keystore helped in my case (Advanced Settings --> TLS Configuration --> Root CA Keystore --> set to Java) (it is the default setting afaik).
I think this is one of the best methods possible.
If it does not work, please reply. Maybe I have forgotten to mention something.
Best Regards,
Jan
Added another pitfall