InstallGuide/OpenSSLConfiguration

Go up: WikiStart

NOTE: XSF had launched Intermediate Certificate Authority, for generating TLS certificates for XMPP Fedarated servers. Please see https://www.xmpp.net/certificate-process page for instructions how to obtain one.

It's generally better than self-signed certificate.

A.6. Generating a Self-Signed SSL Certificate

This appendix describes how to generate a self-signed OpenSSL certificate for use with Jabberd.

I Important: Key Is Self-Signed The key generated by the instructions below is self-signed. Such a key is not part of a trust hierarchy. When used to secure communications with Jabber clients, a self-signed key will usually cause warnings to appear because its authenticity cannot be verified against a trusted key.

A.6.1. Generate Key Pair

From a working directory, enter the command below to begin an interactive key generation process: 

      openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out server.pem

You will be prompted for a passphrase for the private key. After entering and confirming your passphrase, you will be prompted for public information about your key.

N Note: Common Name Note that you should enter your domain name as the Common Name for your certificate.

N Note: Key Lifetime Note that the command above creates a key with a 3650 day (10 year lifetime). To change the key lifetime, use a different number of days for the -days parameter.

A.6.2. Remove Passphrase

Enter this command to remove the passphrase from your private key: 

      openssl rsa -in privkey.pem -out privkey.pem

A.6.3. Combine the Private and Public Key

Enter this command to combine the private and public keys into a single file: 

      cat privkey.pem >> server.pem

A.6.4. Delete Private Key

You should now delete your private key: 

      rm privkey.pem

A.6.5. Move Key and Set Permissions

You can now move your key to its permanent location. For example, to move the key to the default Jabberd pemfile location, you would enter this command (as superuser): 

      mv server.pem /usr/local/etc/jabberd/server.pem

Then, you should set permissions on this file so that it is owned by superuser and is readonly (as superuser): 

      chown root:jabber /usr/local/etc/jabberd/server.pem    
      chmod 640 /usr/local/etc/jabberd/server.pem

Your certificate is now ready for use by Jabberd. You should make a backup (such as to a floppy) of your certificate.

© 2003 Will Kamishlian and Robert Norris

http://jabberd.jabberstudio.org/2/docs/ccommons.gifThis work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.