Chapter 22. Creating and Loading the Server Certificate in pem Files

Table of Contents

Server Certificate
Certificate Request
Certificate From Other Providers
Self-Signed Certificate
Installing/Loading Certificate To the Tigase Server
PEM File
Tigase Server Configuration

Artur Hefczyc <artur.hefczyc@tigase.net> v2.0, June 2014: Reformatted for AsciiDoc. :toc: :numbered: :website: http://tigase.net :Date: 2010-04-06 21:18

Server Certificate

Server certificate is needed when you use secure socket connections - SSL/TLS.

For secure socket connection proper certificate is needed. You can either generate your own, self-signed certificate or obtain certificate from trusted third party organization.

Here are steps how to obtain certificate from a trusted organization.

Certificate Request

Before you can obtain/generate server certificate you need to have a private key and generate certificate request which contain essential information about you (the entity requesting certificate) and the domain for which you want the certificate.

  1. Generate the certificate request:

    openssl req -nodes -new -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.csr

    You will be asked series of questions:

    Country Name (2 letter code) [AU]:AU
    State or Province Name (full name) [Some-State]:Somestate
    Locality Name (eg, city) []:Your city name
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company name
    Organizational Unit Name (eg, section) []:Department or any unit
    Common Name (eg, YOUR name) []:*.yourdomain.com
    Email Address []:your_email_address@somedomain.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  2. The command will generate 2 files for you:

    1. yourdomain.com.csr
    2. yourdomain.com.key

Certificate From Other Providers

There is number of certificate providers offering certificates either for free or for money. You can use any of them, however you have to be aware that sometimes certificates might not be recognized by all other XMPP servers, especially if this is a new provider. Here is an example list of providers:

  • CAcert - free certificates with an excellent Web GUI for managing generated certificates and identities.
  • StartCom - both free and paid certificates, class 1, 2 and 3. Very good GUI for managing certificates and identities.
  • Verisign - very expensive certificates comparing to above provides but the provider is recognized by everybody. If you have a certificate from Verisign you can be sure it is identified as a valid certificate.
  • Comodo Certificate Authority offers different kind of commercial certificates

To obtain certificate from such a third party authority you have to go to its Website and request the certificate using certificate request generated above. I can not provide any instructions for this as each of above providers have a different offer and a different user interface.

Self-Signed Certificate

Another option, highly not recommended is to use self-signed certificate. Such a certificate won’t be recognized by any entity on the Internet but your own. So if any other Jabber server allows for connections only with valid certificate your installation won’t be able to connect. On the other hand self-signed certificate is a very good way for testing environment where you can create many artificial domains and you can test your service for supporting many virtual domains. You can generate as many certificates as you want and load them onto your server and play around.

Tigase, version 5.0.0 and newer automatically generates self-signed certificates for each Virtual Host configured. Alternatively such certificate can be created by hand - just execute following command using the same as above openssl tool:

openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt

You can, of course put there any number of days you like.