CA certificates are incorrectly detected as self-signed certificates



"Me too. I'm looking at server-to-server connections though.
Viewing the Server Certificates page in the admin consoles shows that I have a "CA Signed RSA" and a "CA Signed DSA" certificate.

The log files show the TLS connection is established, but no authentication mechanism is offered.
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to <hostname deleted>:5269 successful
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to <hostname deleted>
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with <hostname deleted>
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with <hostname deleted> was successful
2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by <hostname deleted>

Looking at, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don't import the CA certificate in my keystore (it is in my truststore, didn't think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the "Server Certificates" page in the admin console as I get a java exception.

Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it's a problem with my certificates or the logic in openfire to determine if a cert is self signed or not."




Daryl Herzmann
October 22, 2015, 1:14 PM

Got no updated comments, so closing. We can reopen if somebody notices that this is still an issue with current release (3.10.2)

Daryl Herzmann
February 14, 2014, 3:01 PM

Are folks still having troubles with this on the current release (3.9.1)?

Guus der Kinderen
February 6, 2013, 7:57 PM

Removing the 'fix version' for all unresolved issues that were scheduled for version 7.8.2. We're releasing this version today - the remaining issues should be rescheduled later.

Paul VanRoosendaal
June 7, 2012, 6:28 PM

I've got a wildcard cert too. I have not been able to import our cert into Openfire (v.3.7.1). We would love to see this get fixed.

Norman Schlorke
November 8, 2011, 8:34 AM

Is there a chance to get this fix solved? The people using a wildcard certificate are not rare...