Create and Apply SSL Certificates for OpenFire XMPP Instant Messaging Server 🌱

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: chat.i12bretro.local
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: chat.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify
  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server and Web Client Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting Required Files

  1. In XCA, click on the Certificates tab
  2. Right click the Root CA certificate > Export > File
  3. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  4. Click OK
  5. Right click the Intermediate CA certificate > Export > File
  6. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  7. Click OK
  8. Right click the SSL certificate > Export > File
  9. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  10. Click OK
  11. Click the Private Keys tab
  12. Right click the private key generated for the SSL certificate > Export > File
  13. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
  14. Click OK

Applying SSL Certificate to OpenFire

  1. Log into the OpenFire Admin Console
  2. Click the TLS/SSL Certificates tab in the top sub-navigation menu
  3. Click the Manage Store Contents link under Server Trust store (middle option)
  4. Click the import form link
  5. Give the certificate an alias and paste the contents of the exported Root CA .crt file > Click Save
  6. Click the import form link again
  7. Give the certificate an alias and paste the contents of the exported Intermediate CA .crt file > Click Save
  8. Click the TLS/SSL Certificates tab in the top sub-navigation menu
  9. Click the Manage Store Contents link under Identity store (top option)
  10. Click the imported here link
  11. Paste the contents of the exported private key .pk8 file into the private key field
  12. Paste the contents of the exported certificate .crt file into the certificate field
  13. Click Save
  14. Click the delete icon next to the self-signed certificate generated by OpenFire > Click OK to confirm the delete action
  15. Click the TLS/SSL Certificates tab in the top sub-navigation menu
  16. Click the Client Trust Store Contents link under Identity store (bottom option)
  17. Click the import form link
  18. Give the certificate an alias and paste the contents of the exported Root CA .crt file > Click Save
  19. Click the import form link again
  20. Give the certificate an alias and paste the contents of the exported Intermediate CA .crt file > Click Save
  21. Restart the OpenFire service
  22. Once OpenFire has completed started, navigate to https://DNS:9091/ to access the Admin Console over SSL
  23. In the OpenFire Admin Console click on Sessions in the top navigation to view active client connections and their current SSL communication status

At this point instant messaging clients can be switched to require encryption. You may need to import the root and intermediate certificates into the client for the communication to work seemlessly (no prompts). This will vary depending on the IM client in use.