ichat, ssl, and godaddy cert

The entry in /etc/jabberd/c2s.xml as added by Server Admin GUI is:

<pemfile>/etc/certificates/myFQDN.crtkey</pemfile>

Also, above this entry is the chain:

<cachain>/etc/certificates/myFQDN.chcrt</cachain>

There are two "Begin" and "End" sections in the crtkey file. They appear to be matches to the individual crt and key file.

How do you determine if the file is in PEM format? I see lots of results from Google about how to change formats but not how to determine a format.

My crtkey file has the two mentioned sections:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

This is the output of the openssl command. I don't know enough about ssl certificates to know what is part of the public key and what is part of the private key. Since the file you ask me to run the command against contains both I edited the output. Where ever you see "<SNIP>", I did not know if that info should be placed in a public forum.

Oh, you will notice the 1024bit instead of 2048bit. This was a mistake on my part that will be corrected after I get these certs working. I have another cert that is 2048bit for a different host that also doesn't work with iChat.


Certificate:
Data:
Version: 3 (0x2)
Serial Number: <SNIP>
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=<SNIP>
Validity
Not Before: Jan 8 17:28:21 2008 GMT
Not After : Jan 8 17:28:21 2009 GMT
Subject: O=www.myserver.com, OU=Domain Control Validated, CN=www.myserver.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
<SNIP>
Exponent: <SNIP>
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI: http://certificates.godaddy.com/repository/godaddyextendedissuing.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository

Authority Information Access:
OCSP - URI: http://ocsp.godaddy.com
CA Issuers - URI: http://certificates.godaddy.com/repository/gd_intermediate.crt

X509v3 Subject Key Identifier:
<SNIP>
X509v3 Authority Key Identifier:
keyid:<SNIP>

X509v3 Subject Alternative Name:
DNS:www.myserver.com, DNS:myserver.com
Signature Algorithm: sha1WithRSAEncryption
<SNIP>
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----

Would the private key be encrypted if I did not enter a password when creating the cert?

Following your instructions unfortunately provide the same result, ichat not working with my purchased cert but working with the default cert.

Thanks for trying.

Ownership is as you show; root:certusers


<!-- Local network configuration -->
<local>
<!-- Who we identify ourselves as. This should correspond to the
ID (host) that the session manager thinks it is. You can
specify more than one to support virtual hosts, as long as you
have additional session manager instances on the network to
handle those hosts. The realm attribute specifies the auth/reg
or SASL authentication realm for the host. If the attribute is
not specified, the realm will be selected by the SASL
mechanism, or will be the same as the ID itself. Be aware that
users are assigned to a realm, not a host, so two hosts in the
same realm will have the same users.
If no realm is specified, it will be set to be the same as the
ID. -->
<!-- <id realm='company'>localhost</id> -->
<!-- IP address to bind to (default: 0.0.0.0) -->
<ip>0.0.0.0</ip>
<!-- Port to bind to, or 0 to disable unencrypted access to the
server (default: 5222) -->
<port>5222</port>
<!-- File containing a SSL certificate and private key for client
connections. If this is commented out, clients will not be
offered the STARTTLS stream extension -->
<!-- File containing an optional SSL certificate chain file for client
SSL connections. -->
<cachain>/etc/certificates/www.blueridgebingobugle.com.chcrt</cachain>
<!-- Require STARTTLS. If this is enabled, clients must do STARTTLS
before they can authenticate. Until the stream is encrypted,
all packets will be dropped. -->
<!-- Older versions of jabberd support encrypted client connections
via an additional listening socket on port 5223. If you want
this (required to allow pre-STARTTLS clients to do SSL),
uncomment this -->
<ssl-port>5223</ssl-port>
<id>www.blueridgebingobugle.com</id>
<pemfile>/etc/certificates/www.blueridgebingobugle.com.crtkey</pemfile>
<require-starttls/>
</local>

I was able to stop the ichat server from the command line but not able to start it from the command line. Commenting out the chain has now allowed me to use the signed cert. However, the ichat client pops up a warning that the cert is unknown / self signed. Progress.


Thanks.