Setting Openfire XMPP server with self certficate
### THIS DOCUMENT IS ON PROGRESS AND NOT CONFIRMED WORKING
Prepare a server instance. In this exmaple I used Ubuntu 14.04 on chameleon cloud virtual machine.
Installing openfire.
$ sudo apt-get update
$ sudo apt-get install default-jre
Go to openfire web page(http://www.igniterealtime.org/downloads/index.jsp) and download openfire deb file.
$wget -O openfire.deb http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.10.0_all.deb
$ sudo dpkg -i openfire.deb
After installation, you should be able to access openfire configuration page with browser(http://:9090/)
I simply click "continue" all the way until finishing setup.
Now we create certificate. I refered this site[2] about creating certificate. Creating certificate procedures is like this. one. create root pair(private key and public certificate) two. create intermediate certificate with using root certificate three. create server certificate and client certificate.
create root pair
For the ease of running command. Become root user.
$ sudo passwd
$ su
Detailed information can be found [2]
$ mkdir /root/ca
$ cd /root/ca
$ mkdir certs crl newcerts private
$ chmod 700 private
$ touch index.txt
$ echo 1000 > serial
$ wget https://github.com/ipop-project/ipop-scripts/raw/master/openssl_config/root-config.txt
$ mv root-config.txt /root/ca/openssl.cnf
Create root key Remember the passphrase you used.
$ openssl genrsa -aes256 -out private/ca.key.pem 4096
$ chmod 400 private/ca.key.pem
now we create root certificate
$ openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name [England]:FLORIDA
Locality Name []:
Organization Name [Alice Ltd]:UF
Organizational Unit Name []:ACIS
Common Name []:IPOP ROOT CA
Email Address []:
$ chmod 444 certs/ca.cert.pem
create intermediate pair
$ mkdir /root/ca/intermediate
$ cd /root/ca/intermediate
$ mkdir certs crl csr newcerts private
$ chmod 700 private
$ touch index.txt
$ echo 1000 > serial
$ echo 1000 > /root/ca/intermediate/crlnumber
download config file detailed info is at [2]
$ wget https://github.com/ipop-project/ipop-scripts/raw/master/openssl_config/intermediate-config.txt
$ mv intermediate-config.txt /root/ca/intermediate/openssl.cnf
create pair
cd /root/ca
openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem
now CSR The fields should be match with ROOT except the "COMMON NAME" field which MUST be different.
openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name [England]:FLORIDA
Locality Name []:
Organization Name [Alice Ltd]:UF
Organizational Unit Name []:ACIS
Common Name []:IPOP INTERMEDIATE CA
Email Address []:
now certificate
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem
now server private key
$ cd /root/ca
$ openssl genrsa -aes256 -out intermediate/private/xmpp_server.key.pem 2048
$ chmod 400 intermediate/private/xmpp_server.key.pem
create server CSR
openssl req -config intermediate/openssl.cnf -key intermediate/private/xmpp_server.key.pem -new -sha256 -out intermediate/csr/xmpp_server.csr.pem
Enter pass phrase for intermediate/private/xmpp_server.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name [England]:FLORIDA
Locality Name []:
Organization Name [Alice Ltd]:UF
Organizational Unit Name []:ACIS
Common Name []:XMPP SERVER
Email Address []:
now finally certificate
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/xmpp_server.csr.pem -out intermediate/certs/xmpp_server.cert.pem
chmod 444 intermediate/certs/xmpp_server.cert.pem
create client certificate at first key
cd /root/ca
openssl req -config intermediate/openssl.cnf -key intermediate/private/alice.key.pem -new -sha256 -out intermediate/csr/alice.csr.pem
chmod 400 intermediate/private/alice.key.pem
next CSR
cd /root/ca
openssl req -config intermediate/openssl.cnf -key intermediate/private/alice.key.pem -new -sha256 -out intermediate/csr/alice.csr.pem
Enter pass phrase for intermediate/private/alice.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name [England]:FLORIDA
Locality Name []:
Organization Name [Alice Ltd]:UF
Organizational Unit Name []:ACIS
Common Name []:alice
Email Address []:
create certificate
openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in intermediate/csr/alice.csr.pem -out intermediate/certs/alice.cert.pem
chmod 444 intermediate/certs/alice.cert.pem
References
[2] https://jamielinux.com/docs/openssl-certificate-authority/index.html#