Not logged in. · Lost password · Register
Forum: Community Help and General Chat RSS
Self-signed Certificates in Psi 0.12

Announcement

11-16-2005, 13:33 by halr9000
Subject: Psi Groupchat (new address)
Join us at the Psi Groupchat (MUC)! Room name: psi@conference.psi-im.org
cday 09-05-2008, 03:24 #1
Member since 09/2008 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Self-signed Certificates in Psi 0.12
From what I've been reading about getting self-signed certificates working with Psi 0.12, where they are permanently enabled (and you don't get the "certificate is NOT valid!" message and have to manually accept the certificate every time), you must place the certificates in the Program Files\Psi\certs directory.

Well, I've tried this and it does the same thing. I'm still warned that the certificate is invalid because it's self-signed and I need to manually accept. I've also tried the Psi\PsiData directory as the README indicates in the Psi\Certs directory.

The self-signed certificates were created using Openfire jabber server and exporting them using "keytool". I can click on the certificates in Windows and view them just like the startcom_ca.crt and startcom_ca_new.crt. They appear to be fine.

What am I doing wrong? How do I make self-signed certificates work permanently with Psi 0.12?
Avatar
infiniti (Administrator) 09-05-2008, 04:08 #2
Member since 09/2002 · 1459 posts · Location: California, USA
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
It sounds like you've done it right.  Are you sure the server is properly configured and is sending the same cert you've saved in Psi?

What's the server domain name?  I can try testing it myself.
-Justin
cday 09-05-2008, 12:54 #3
Member since 09/2008 · 2 posts
Group memberships: Members
Show profile · Link to this post
Quote by infiniti:
It sounds like you've done it right.  Are you sure the server is properly configured and is sending the same cert you've saved in Psi?

What's the server domain name?  I can try testing it myself.

Thanks for the offer, but it looks like I got it working! I had to do an "-rfc" command line switch to output in RFC format. For those of you wishing to do the same thing with Openfire & Psi, here is what I did:

1) Used Openfire's admin tool to generate self signed certificates
2) Exported the certificate using "keytool" at the command line like so:
# keytool -exportcert -keystore keystore -alias mydomain.com_rsa -rfc -file jabber.crt

Openfire generates two certificates: RSA & DSA. The certificate alias is the server name with _rsa or _dsa appended. In the example above the server name (set under xmpp.domain) is "mydomain.com", hence the rsa certificate is "mydomain.com_rsa". You can list your certificates after they've been created by doing:
# keytool -keystore keystore -list

If you haven't used the keytool before then the default password will be 'changeit'. You should probably change this (as the password itself implies!). Anytime you use keytool to do an action (like exporting the certificate) you will be prompted for the password.

cheers!
Avatar
spike (Administrator) 09-12-2008, 23:59 #4
Member since 02/2003 · 1907 posts · Location: Leuven (Belgium)
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Quote by cday on 09-05-2008, 03:24:
(and you don't get the "certificate is NOT valid!" message and have to manually accept the certificate every time),
A quick note: in 0.13, you will get the option to accept a certificate permanently.
- Remko
Close Smaller – Larger + Reply to this post:
Smilies: :mellow: :huh: ^_^ :o ;) :P :D :lol: B) :rolleyes: -_- <_< :) :wub: :angry: :( :unsure: :wacko: :blink: :ph34r:
Special characters:

Go to forum
Unclassified NewsBoard devel of 20051113 © 2003-5 by Yves Goergen
Current time: 01-06-2009, 04:48:53 (UTC -05:00)