If you want to federate with WaveSandbox.com then you must use CA-issued certs
The instructions below are for self-signed certificates, which the current test server, initech-corp.com, will accept, which allows for easy testing of the federation protocol. The acmewave.com test server has been transitioned to only accept CA-issued certificates. CA-issued certificates are better as they involve a trusted third-party, and it is expected that in production a Wave server would only accept CA-issued certificates. Changes to the test servers that affect which kind of certificate they accept will be announced on the wave-protocol mailing list.
If you want to go through the steps to generate a CA-issued certificate the instructions are at the end of this page. A server that is set up to accept self-signed certificates will also accept CA-issued certificates, so you will still be able to interop with both test servers with a CA-issued certificate.
Note that real certs will contain a critical extension that only Wave servers should accept, to prevent them being re-used as SSL server certificates.
There is a script called make_cert.sh for generating certificates in the root directory of the repository. When you run it, you'll see roughly this:
You can answer whatever you want to all questions except the Common Name question. There you should answer the DNS name of your server.
The result of this would be two files, test.crt and test.key. The certificate you can give to anyone, especially those who want to check its a known good cert. The key is your private key and should not be revealed.
Note: The FedOne? code does not support password protected private keys. This is not a concern if you used the script supplied above as the generated private key will not be password protected.
The two outputs should match.
Now you are done and can add the key and cert to you Wave server and interop with other Wave servers that accept self-signed certificates. If you want to generate a CA-issued Certificate follow the directions in the next section.
You will need access to the email account firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org.
First generate an encrypted private key:
You will be asked for passphrase, make sure it is at least 10 characters.
Then generate a certificate request:
You will be asked for passphrase from above. After that you will be asked to fill in a bunch of details.
You can use this certificate request with your Certificate Authority of choice. Below are instructions on getting a free Class 1 CA-issued certificate from StartSSL. Using StartSLL is not required, but is documented here because it is one of the CAs that provide free CA certs.
Go to https://www.startssl.com. Sign in, or sign up. To sign up you will need to provide email that you can validate, then log out and log in again - click in Authenticate - you will be asked for (email)certificate that was generated in the sign up process. Go to control panel. Click on the Validations Wizard and choose Domain Name Validation where you have to validate you domain, i.e. example com. After that, go to Certificates Wizard and choose XMPP certificate. In the private key generation step you should click on "skip" and in the next step paste the certificate request that was generated earlier, i.e. contents of the example.com.csr. After that proceed to choose your domain, i.e. example.com, in the subdomain you need to enter "wave", i.e. http://wave.example.com. Click on continue until finish. After that you will have your signed certificate. Save it as example.com.crt. You will also need your intermediate certificate
Make sure to backup the private key and signed certificate (example.com.encrypted.key example.com.crt) and put it somewhere in a
But we are not done yet. Now let's remove the passphrase from the private key with:
then convert the key to a different format with:
Now we have the private key we can use with waveinabox server and a certificate signed by StartCom.
You can test your certificate using the openssl command line tool. If you get a CA-issued cert for the domain example.com then you can test the cert with:
To enable the certs you will need to make some changes to run-config.sh. Enable certs, and add the intermediate cert to the list of certificates:
Note: Some people have found that they need to include both the sub.class1.server.pem and the ca-bundle cert in the chain as follows:
The order of the certificates listed in the CERTIFICATE_FILENAME_LIST is important, with your certificate going first, and intermediate certs following.
The check-certificates.sh script included in the FedOne? source will do all of the above checks for you. Make sure run-config.sh is configured first then run check-certificates.sh. If the certificates are valid and configured correctly you will see:
Otherwise and error message will be printed pointing to the cause of the error.
Vega helped fix the instructions in the section "Getting a CA-issued Certificate"