Thanks! I used to have something like that here: http://xmpp.net/issuance.shtml
http://xmpp.net/installation.shtml But that applied back when we had a special XMPP intermediate CA through StartCom, which is no longer the case... On 10/18/10 12:42 PM, Vega wrote: > I combined all the instructions for the certificate generation. I > still had no chance to verify that they are valid for federation, but > at least they seem to work OK. > > --Generate encrypted private key. You will be asked for passphrase, > make sure it is at least 10 characters. > openssl genrsa -des3 -out example.com.encrypted.key 2048 > > --Generate certificate request, you will be asked for passphrase from > above. After that you will be asked to fill in a bunch of details. > IMPORTANT - the Common Name should be in the form wave.example.com. > > openssl req -new -key example.com.encrypted.key -out example.com.csr > > --With this certificate you can go to https://www.startssl.com. Sign > in, or sign up. To sign up you will need to provide email that you can > validate, then log out and log in again - click in Authenticate - you > will be asked for (email)certificate that was generated in the sign up > process. Go to control panel. Click on the Validations Wizard and > choose Domain Name Validation where you have to validate you domain, > i.e. example com. After that, go to Certificates Wizard and choose > XMPP certificate. In the private key generation step you should click > on "skip" and in the next step paste the certificate request that was > generated earlier, i.e. contents of the example.com.csr. After that > proceed to choose your domain, i.e. example.com, in the subdomain you > need to enter "wave", i.e. http://wave.example.com. Click on continue > untill finish. After that you will have your signed certificate. Save > it as example.com.crt. You will also need you intermediate certificate > - i.e. sub.class1.server.ca.pem and the Certification Authority > certificate - ca.pem. You can download them from the site: ToolBox- >> StartCom CA Certificates. So by now you have 5 files: > > example.com.encrypted.key > example.com.crt > example.com.csr > sub.class1.server.ca.pem > ca.pem > > Make sure to backup the private key and signed certificate > (example.com.encrypted.key example.com.crt) and put it somewhere in a > safe place. > But we are not done yet. Now let's remove the passphrase from the > private key with: > > openssl rsa -in example.com.encrypted.key -out > example.com.nonencrypted.key > > --then convert the key to a different format with: > > openssl pkcs8 -topk8 -nocrypt -in example.com.nonencrypted.key -out > example.com.key > > -- Now we have the private key we can use with waveinabox server and a > certificate signed by StartCom. > > On Oct 18, 7:11 pm, Vega <[email protected]> wrote: >> Well, I guess if someone would like to host waveinabox server that >> would accept these certificates - nothing can stop him - after all the >> source is open :) >> >> On Oct 18, 6:35 pm, Peter Saint-Andre <[email protected]> wrote: >> >> >> >>> On 10/18/10 9:08 AM, Vega wrote: >> >>>> Is it possible to consider to add CAcert to the default trust roots? >>>> It can allow another option in addition to StartCom. Moreover CAcert >>>> is totally free and more flexible and therefore more suits the Wave >>>> nature. >> >>> The point of a CA is not to be free and flexible, but to be secure. >> >>> Peter >>
smime.p7s
Description: S/MIME Cryptographic Signature
