Adding cert to eJabberd server

Forgot how to do this and took a little while to figure it out again.
Thus I have decided to put my solution here.
Security wise there are some things that need to be considered here.
Like the part where I decode the key so that I don’t have to insert the password every time the server starts.
I do this because it’s a VPS, but it wouldn’t always be optimal security wise.
I “solve” this problem by setting very strict permissions on the file (which you should always do anyway).

XMPP Certificate guide
You should start with the following files (I get my certs from Startcom SSL).

ssl.key
resulting from the certificate request process

ssl.crt
resulting from the certificate request process

ca.pem
available from http://www.startssl.com/certs/

sub.class1.server.ca.pem
available from http://www.startssl.com/certs/

Now you need to decode the key file, so that we don’t have to insert the password everytime we start the server

openssl rsa -in ssl.key -out ssl.key

Concatenate the files into one pem file (the order is crucial here)

cat ssl.key ssl.crt sub.class1.server.ca.pem ca.pem > ejabberd.pem

Move the file where your server can reach it

chown ejabberd.ejabberd ejabberd.pem
chmod 400 ejabberd.pem
mv ejabberd.pem /opt/ejabberd/conf

Then you configure and restart the server, here’s an example of my conf

% Ordinary client-2-server service
 [{5222, ejabberd_c2s,     [{access, c2s},
                            {max_stanza_size, 65536},
                            starttls, {certfile, "/opt/ejabberd/conf/ejabberd.pem"},
                            {shaper, c2s_shaper}]},

% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/opt/ejabberd/conf/ejabberd.pem"}.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.