ayena.de

ejabberd and xmpp.net ICA certs

By Tobias Markmann in

Tuesday, July 31, 2007 - 06:49 PM

Today I finally got my xmpp.net cert working with ejabberd. I'm using latest ejabberd because since revision 841 ejabberd sends the whole certificate chain to the clients.

First the files and data you need:
  • ssl.key (your private key you got through the ICA certification process)
  • ssl.crt (your certificate)
  • the password you used during the ICA certification process
  • sub.class1.xmpp.ca.crt (xmpp.net's ICA cert)
Here the list of things you need to do to get a cert-file which works nice with ejabberd:
  1. Create a backup of the files listed above if you haven't done it yet.
  2. Decrypt ssl.key file using the following command (You will be asked for the password!): openssl rsa -in ssl.key -out ssl.key Here the difference between an encrypted ssl.key and decrypted ssl.key:
    EncryptedDecrypted
    1. -----BEGIN RSA PRIVATE KEY-----
    2. Proc-Type: 4,ENCRYPTED
    3. DEK-Info: AES-256-CBC,08625FF5291958...
    4. LH4pfqaXMm86kaFBXFNsZY8HXkPjmBvBH18V...
    5. ...
    6. dWiJwyTFzAEHXZh1bLZr1C5560FBlGySh35h...
    7. -----END RSA PRIVATE KEY-----
    		 
    1. -----BEGIN RSA PRIVATE KEY-----
    2. MIIEpAIBAAKCAQEA8wY1jnx5koNqhPKN8UkL...
    3. ...
    4. NuFEKicDmogtN6ojyIx6+JxxKPE7Cu1ru10G...
    5. -----END RSA PRIVATE KEY-----
  3. Now you put them all together. Your cert, your private key and xmpp.net's ICA cert. Use the following command: cat ssl.crt sub.class1.xmpp.ca.crt ssl.key >> myxmpp.net.crt
The resulting myxmpp.net.crt should look like: 
  1. -----BEGIN CERTIFICATE-----
  2. MIIH2zCCBsOgAwIBAgICAZUwDQYJKoZIhvcNAQEFBQAwgdgxCzAJBgNVBAYTAlVT
  3. ...
  4. j1c/86uMpzRNEm6ibxe7eLNulLJbvb9UAo8jPVRSMOavngjAyvcz6sZUtCDnStQ=
  5. -----END CERTIFICATE-----
  6. -----BEGIN CERTIFICATE-----
  7. MIIHADCCBmmgAwIBAgIBFDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCSUwx
  8. ...
  9. lhMZMHD/ivqg8faZSQNYMg6xq7I=
  10. -----END CERTIFICATE-----
  11. -----BEGIN RSA PRIVATE KEY-----
  12. MIIEpAIBAAKCAQEA8wY1jnx5koNqhPKN8UkLOeex3QIFXkZeaGmeeQI5ZSsWBBqW
  13. ...
  14. NuFEKicDmogtN6ojyIx6+JxxKPE7Cu1ru10GUs1VGBZMRqYcHJdXbg==
  15. -----END RSA PRIVATE KEY-----
Now you can simply enable TLS for ejabberd like it is described in its documentation. It's important that the resulting file has both, your cert and the xmpp.net ICA cert. This may be different for other XMPP server software. Links:
Comment! Keep reading >>