Table of Contents
Artur Hefczyc <artur.hefczyc@tigase.net> v2.0, June 2014: Reformatted for AsciiDoc. :toc: :numbered: :website: http://tigase.net :Date: 2010-04-06 21:18
Server certificate is needed when you use secure socket connections - SSL/TLS.
For secure socket connection proper certificate is needed. You can either generate your own, self-signed certificate or obtain certificate from trusted third party organization.
Here are steps how to obtain certificate from a trusted organization.
Before you can obtain/generate server certificate you need to have a private key and generate certificate request which contain essential information about you (the entity requesting certificate) and the domain for which you want the certificate.
Generate the certificate request:
openssl req -nodes -new -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.csr
You will be asked series of questions:
Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:Somestate Locality Name (eg, city) []:Your city name Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company name Organizational Unit Name (eg, section) []:Department or any unit Common Name (eg, YOUR name) []:*.yourdomain.com Email Address []:your_email_address@somedomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The command will generate 2 files for you:
There is number of certificate providers offering certificates either for free or for money. You can use any of them, however you have to be aware that sometimes certificates might not be recognized by all other XMPP servers, especially if this is a new provider. Here is an example list of providers:
To obtain certificate from such a third party authority you have to go to its Website and request the certificate using certificate request generated above. I can not provide any instructions for this as each of above providers have a different offer and a different user interface.
Another option, highly not recommended is to use self-signed certificate. Such a certificate won’t be recognized by any entity on the Internet but your own. So if any other Jabber server allows for connections only with valid certificate your installation won’t be able to connect. On the other hand self-signed certificate is a very good way for testing environment where you can create many artificial domains and you can test your service for supporting many virtual domains. You can generate as many certificates as you want and load them onto your server and play around.
Tigase, version 5.0.0 and newer automatically generates self-signed certificates for each Virtual Host configured. Alternatively such certificate can be created by hand - just execute following command using the same as above openssl tool:
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
You can, of course put there any number of days you like.