-
Notifications
You must be signed in to change notification settings - Fork 58
/
0133.html
117 lines (108 loc) · 6.46 KB
/
0133.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Create and Apply SSL Certificates for OpenFire XMPP Instant Messaging Server</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta charset="UTF-8">
<meta name="keywords" content="OpenFire Server,Chat Server,SSL,Instant Messager,Office Instant Messenger,Home Lab,Web Based,Browser Based,Self-Hosted,PKI,Private Key Infrastructure,OpenFire,XMPP,Instant Messaging,IM,Linux,Windows,Home Lab Ideas,Certificate Authority,Certificates,Certificate,Encryption,SSL Certificates,Secure Communication,Self-Signed SSL,System Administration,X Certificate And Key Management,X Certificate Key Manager,XCA,How To,Tutorial,i12bretro">
<meta name="author" content="i12bretro">
<meta name="description" content="Create and Apply SSL Certificates for OpenFire XMPP Instant Messaging Server">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="revised" content="10/24/2022 10:11:33 AM" />
<link rel="icon" type="image/x-icon" href="includes/favicon.ico">
<script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="includes/js/steps.js"></script>
<link href="css/steps.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="gridContainer">
<div class="topMargin"></div>
<div id="listName" class="topMargin">
<h1>Create and Apply SSL Certificates for OpenFire XMPP Instant Messaging Server</h1>
</div>
<div></div>
<div id="content">
<h2>Prerequisites</h2>
<ul>
<li class="noCheckbox">A XCA PKI database <a href="https://youtu.be/ezzj3x207lQ" target="_blank">https://youtu.be/ezzj3x207lQ</a></li>
</ul>
<h2>Create Your SSL Certificate</h2>
<ol>
<li>Launch XCA</li>
<li>Open the PKI database if it is not already (File > Open DataBase), enter password</li>
<li>Click on the Certificates tab, right click on your Intermediate CA certificate</li>
<li>Select New</li>
<li>On the Source tab, make sure Use this Certificate for signing is selected</li>
<li>Verify your Intermediate CA certificate is selected from the drop down</li>
<li>Click the Subject tab</li>
<li>Complete the Distinguished Name section
<p>internalName: chat.i12bretro.local<br />
countryName: US<br />
stateOrProvinceName: Virginia<br />
localityName: Northern<br />
organizationName: i12bretro<br />
organizationUnitName: i12bretro Certificate Authority<br />
commonName: chat.i12bretro.local</p>
</li>
<li>Click the Generate a New Key button</li>
<li>Enter a name and set the key size to at least 2048</li>
<li>Click Create</li>
<li>Click on the Extensions tab</li>
<li>Select End Entity from the type list</li>
<li>Click Edit next to Subject Alternative Name</li>
<li>Add any DNS or IP addresses that the certificate will identify</li>
<li>Update the validity dates to fit your needs</li>
<li>Click the Key Usage tab</li>
<li>Under Key Usage select Digital Signature, Key Encipherment</li>
<li>Under Extended Key Usage select Web Server and Web Client Authentication</li>
<li>Click the Netscape tab</li>
<li>Select SSL Server</li>
<li>Click OK to create the certificate</li>
</ol>
<h2>Exporting Required Files</h2>
<ol>
<li>In XCA, click on the Certificates tab</li>
<li>Right click the Root CA certificate > Export > File</li>
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
<li>Click OK</li>
<li>Right click the Intermediate CA certificate > Export > File</li>
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
<li>Click OK</li>
<li>Right click the SSL certificate > Export > File</li>
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
<li>Click OK</li>
<li>Click the Private Keys tab</li>
<li>Right click the private key generated for the SSL certificate > Export > File</li>
<li>Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)</li>
<li>Click OK</li>
</ol>
<h2>Applying SSL Certificate to OpenFire</h2>
<ol>
<li>Log into the OpenFire Admin Console</li>
<li>Click the TLS/SSL Certificates tab in the top sub-navigation menu</li>
<li>Click the Manage Store Contents link under Server Trust store (middle option)</li>
<li>Click the import form link</li>
<li>Give the certificate an alias and paste the contents of the exported Root CA .crt file > Click Save</li>
<li>Click the import form link again</li>
<li>Give the certificate an alias and paste the contents of the exported Intermediate CA .crt file > Click Save</li>
<li>Click the TLS/SSL Certificates tab in the top sub-navigation menu</li>
<li>Click the Manage Store Contents link under Identity store (top option)</li>
<li>Click the imported here link</li>
<li>Paste the contents of the exported private key .pk8 file into the private key field</li>
<li>Paste the contents of the exported certificate .crt file into the certificate field</li>
<li>Click Save</li>
<li>Click the delete icon next to the self-signed certificate generated by OpenFire > Click OK to confirm the delete action</li>
<li>Click the TLS/SSL Certificates tab in the top sub-navigation menu</li>
<li>Click the Client Trust Store Contents link under Identity store (bottom option)</li>
<li>Click the import form link</li>
<li>Give the certificate an alias and paste the contents of the exported Root CA .crt file > Click Save</li>
<li>Click the import form link again</li>
<li>Give the certificate an alias and paste the contents of the exported Intermediate CA .crt file > Click Save</li>
<li>Restart the OpenFire service </li>
<li>Once OpenFire has completed started, navigate to https://DNS:9091/ to access the Admin Console over SSL</li>
<li>In the OpenFire Admin Console click on Sessions in the top navigation to view active client connections and their current SSL communication status</li>
</ol>
<p>At this point instant messaging clients can be switched to require encryption. You may need to import the root and intermediate certificates into the client for the communication to work seemlessly (no prompts). This will vary depending on the IM client in use. </p> </div>
</div>
</body>
</html>