Developers: If you want too see the full steps here they are: These are what I follow to a T when uploading. I gave the short hand above incase you are already aware of the issue.
Install Microsot Visual C++ viewer restributable. You need this specific version in order for OpenSSL to function properly.
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D -074B9F2BC1BF
Download OpenSSL http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe
install this using the system defaults.
Browse to C:\OopenSSL-Win32\bin
Right click on openssl.exe and choose Run As Administrator
Use Openssl to generate a private key by running the following commands
OpenSSL genrsa -out your.domain.com.key 2048
you will see
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.+++
............................................+++
e is 65537 (0x10001)
at the next OpenSSL> prompt type enter this command
OpenSSL req -out your.domain.com.csr -key your.domain.com.key -new
you will see
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:REQUIRED
State or Province Name (full name) [Some-State]:REQUIRED
Locality Name (eg, city) []:REQUIRED
Organization Name (eg, company) [Internet Widgits Pty Ltd]:REQUIRED
Organizational Unit Name (eg, section) []:REQUIRED
Common Name (e.g. server FQDN or YOUR name) []:REQUIRED This should match your OpenFire server name
Email Address []:Leave Blank
LEAVE THE FOLLOWING BLANK
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After answering the questions above you will be brought back to the OpenSSL prompt
OpenSSL>
At this point you can close OpenSSL
You have now created a private key and a cert request that you can use to get a cert from GeoTrust. The key and the cert are located in C:\OpenSSL-Win32\bin
The files are
your.domain.com.key
your.domain.com.csr
Login to your GeoTrust account and ask for a new SSL Cert. I used the Quick SSL Premium, but the Quick SSL Basic will be fine if you dont need multiple domain support.
Copy the contents of the file
your.domain.com.csr
into the field listed below
Certificate Signing Request (CSR) Information
Complete the cert request steps. Once you get your cert approved and you get the download link, Make sure you download the ZIP bundle.
Extract the files and use notepad++ to open the files
your_domain_com.txt
GeoTrust_CA_Bundle.txt
Copy the contents of your_domain_com.txt and paste into a new notepad++ file. Directly after your cert copy the contents of
GeoTrust_CA_Bundle.txt
The end file should look like.
-----BEGIN CERTIFICATE-----
Your certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26×1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
—–END CERTIFICATE—–
Save this file as Content of Certificate file.txt
Browse to the OpenFire Server Certificate Import Pagehttps://your.openfireserver.com:9091/import-certificate.jsp
Copy the contents of your.domain.com.key and paste into the Content of Private Key file: field
Copy the contens of the Content of Certificate file.txt you created into the Content of Certificate file: field
If you don’t include the intermediate cert data in the second field or the intermediate certs don’t match you’ll see errors such as “Incomplete certificate chain in reply”, “Failed to establish chain from reply” or “Certificate chain in reply does not verify: Signature does not match.”
If you see the message “invalid DER-encoded certificate data” then you most likely have an empty line between one or other of the certificate lines.
Once you get the Key was imported successfully message you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.
Log back in and browse to the Server Certificates page again, you will see two self-signed certs and a CA signed cert. You can remove both self signed certs by clicking the delete button to the far right. Once again you will be prompted to restart the HTTP service via a handy link Openfire provides. Click that link and you will be redirected to the login page.
Log back in and browse to the Server Certificates page again to verify your CA signed cert is the only one left.
That should be it. I have confirmed this works with Openfire 3.7.1 using Spark and webchat clients.
Let me know if you have any questions. Hopefully this will help someone save a week of headbanging and fustrations.