On each renewal of our ssl cert i always forget how i manage to get openfire to read a new certificate. Finally found some notes which seems to just work – Credit to The_Spider on igniterealtime.org forum for providing clear instructions.

Stop Openfire then merge your root CA with your certificate:

cat example.com.cert startssl.class2.ca > example.com.TempCert

Convert your existing Private Key and new merged certificate to the pkcs12 format. (This step requires you create a password, I am going to use the default password for simplicity. “changeit”)

openssl pkcs12 -export -in example.com.TempCert -inkey example.com.private -out example.com.pkcs12 -name example.com

Merge your private key and cert to OpenFire’s private Keystore.

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /opt/openfire/resources/security/keystore -srckeystore example.com.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -alias example.com

Start OpenFire