CertificateStoreManager should be a proper module.

src/conf/modules.xml

@@ -28,6 +28,7 @@
   <module interface="org.jivesoftware.openfire.OfflineMessageStrategy" implementation="org.jivesoftware.openfire.OfflineMessageStrategy" />
   <module interface="org.jivesoftware.openfire.OfflineMessageStore" implementation="org.jivesoftware.openfire.OfflineMessageStore" />
   <module interface="org.jivesoftware.openfire.vcard.VCardManager" implementation="org.jivesoftware.openfire.vcard.VCardManager" />
+  <module interface="org.jivesoftware.openfire.keystore.CertificateStoreManager"" implementation="org.jivesoftware.openfire.keystore.CertificateStoreManager" />
 
   <!--  Standard Modules -->  
   <module interface="org.jivesoftware.openfire.handler.IQBindHandler" implementation="org.jivesoftware.openfire.handler.IQBindHandler" />

src/java/org/jivesoftware/openfire/XMPPServer.java

@@ -373,13 +373,22 @@ public class XMPPServer {
             // Set default SASL SCRAM-SHA-1 iteration count
             JiveGlobals.setProperty("sasl.scram-sha-1.iteration-count", Integer.toString(ScramUtils.DEFAULT_ITERATION_COUNT));
 
-            // Update certificates (if required)
-            try {
             // Check if keystore (that out-of-the-box is a fallback for all keystores) already has certificates for current domain.
-                final IdentityStore storeConfig = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S );
-                storeConfig.ensureDomainCertificates( "DSA", "RSA" );
+            CertificateStoreManager certificateStoreManager = null; // Will be a module after finishing setup.
+            try {
+                certificateStoreManager = new CertificateStoreManager();
+                certificateStoreManager.initialize( this );
+                certificateStoreManager.start();
+                final IdentityStore identityStore = certificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S );
+                identityStore.ensureDomainCertificates( "DSA", "RSA" );
             } catch (Exception e) {
                 logger.error("Error generating self-signed certificates", e);
+            } finally {
+                if (certificateStoreManager != null)
+                {
+                    certificateStoreManager.stop();
+                    certificateStoreManager.destroy();
+                }
             }
 
             // Initialize list of admins now (before we restart Jetty)
@@ -1408,6 +1417,16 @@ public class XMPPServer {
         return (InternalComponentManager) modules.get(InternalComponentManager.class.getName());
     }
 
+    /**
+     * Returns the <code>CertificateStoreManager</code> registered with this server. The
+     * <code>CertificateStoreManager</code> was registered with the server as a module while starting up
+     * the server.
+     *
+     * @return the <code>CertificateStoreManager</code> registered with this server.
+     */
+    public CertificateStoreManager getCertificateStoreManager() {
+        return (CertificateStoreManager) modules.get( CertificateStoreManager.class.getName() );
+    }
     /**
      * Returns the locator to use to find sessions hosted in other cluster nodes. When not running
      * in a cluster a <tt>null</tt> value is returned.

src/java/org/jivesoftware/openfire/clearspace/SSLProtocolSocketFactory.java

@@ -35,6 +35,7 @@ import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpClientError;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
 import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.CertificateStoreManager;
 import org.jivesoftware.openfire.spi.ConnectionType;
 import org.slf4j.Logger;
@@ -70,7 +71,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
                             new ClearspaceX509TrustManager(
                                     host,
                                     manager.getProperties(),
-                                    CertificateStoreManager.getTrustStore( ConnectionType.SOCKET_S2S ).getStore() )
+                                    XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( ConnectionType.SOCKET_S2S ).getStore() )
                     },
                     null);
             return context;

src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

@@ -141,7 +141,7 @@ public class AdminConsolePlugin implements Plugin {
         // Create a connector for https traffic if it's enabled.
         sslEnabled = false;
         try {
-            final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.WEBADMIN );
+            final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.WEBADMIN );
             if (adminSecurePort > 0 )
             {
                 if ( identityStore.getAllCertificates().isEmpty() )

src/java/org/jivesoftware/openfire/http/HttpBindManager.java

@@ -248,7 +248,7 @@ public final class HttpBindManager {
     private void createSSLConnector(int securePort, int bindThreads) {
         httpsConnector = null;
         try {
-            final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.BOSH_C2S );
+            final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.BOSH_C2S );
 
             if (securePort > 0 && identityStore.getStore().aliases().hasMoreElements() ) {
                 if ( !identityStore.containsDomainCertificate( "RSA" ) ) {

src/java/org/jivesoftware/openfire/keystore/CertificateStoreManager.java

 package org.jivesoftware.openfire.keystore;
 
 import org.jivesoftware.openfire.XMPPServer;
+import org.jivesoftware.openfire.container.BasicModule;
 import org.jivesoftware.openfire.spi.ConnectionListener;
 import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
 import org.jivesoftware.openfire.spi.ConnectionType;
@@ -19,7 +20,7 @@ import java.util.concurrent.ConcurrentMap;
  */
 // TODO Code duplication should be reduced.
 // TODO Allow changing the store type.
-public class CertificateStoreManager
+public class CertificateStoreManager extends BasicModule
 {
     private final static Logger Log = LoggerFactory.getLogger( CertificateStoreManager.class );
 
@@ -28,17 +29,16 @@ public class CertificateStoreManager
     private final ConcurrentMap<CertificateStoreConfiguration, IdentityStore>  identityStores      = new ConcurrentHashMap<>();
     private final ConcurrentMap<CertificateStoreConfiguration, TrustStore>     trustStores         = new ConcurrentHashMap<>();
 
-    private static CertificateStoreManager INSTANCE;
-
-    static synchronized CertificateStoreManager getInstance( ) {
-        if (INSTANCE == null) {
-            INSTANCE = new CertificateStoreManager();
-        }
-        return INSTANCE;
+    public CertificateStoreManager( )
+    {
+        super( "Certificate Store Manager" );
     }
 
-    private CertificateStoreManager( )
+    @Override
+    public synchronized void initialize( XMPPServer server )
     {
+        super.initialize( server );
+
         for ( ConnectionType type : ConnectionType.values() )
         {
             try
@@ -73,21 +73,29 @@ public class CertificateStoreManager
         }
     }
 
-    public static IdentityStore getIdentityStore( ConnectionType type )
+    @Override
+    public synchronized void destroy()
     {
-        final CertificateStoreManager manager = getInstance();
-        final CertificateStoreConfiguration configuration = manager.typeToIdentityStore.get( type );
-        return manager.identityStores.get( configuration );
+        typeToIdentityStore.clear();
+        typeToTrustStore.clear();
+        identityStores.clear();
+        trustStores.clear();
+        super.destroy();
     }
 
-    public static TrustStore getTrustStore( ConnectionType type )
+    public IdentityStore getIdentityStore( ConnectionType type )
     {
-        final CertificateStoreManager manager = getInstance();
-        final CertificateStoreConfiguration configuration = manager.typeToTrustStore.get( type );
-        return manager.trustStores.get( configuration );
+        final CertificateStoreConfiguration configuration = typeToIdentityStore.get( type );
+        return identityStores.get( configuration );
     }
 
-    public static void replaceIdentityStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
+    public TrustStore getTrustStore( ConnectionType type )
+    {
+        final CertificateStoreConfiguration configuration = typeToTrustStore.get( type );
+        return trustStores.get( configuration );
+    }
+
+    public void replaceIdentityStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
     {
         if ( type == null)
         {
@@ -98,27 +106,25 @@ public class CertificateStoreManager
             throw new IllegalArgumentException( "Argument 'configuration' cannot be null." );
         }
 
-        final CertificateStoreManager manager = getInstance();
-
-        final CertificateStoreConfiguration oldConfig = manager.typeToIdentityStore.get( type ); // can be null if persisted properties are invalid
+        final CertificateStoreConfiguration oldConfig = typeToIdentityStore.get( type ); // can be null if persisted properties are invalid
 
         if ( oldConfig == null || !oldConfig.equals( configuration ) )
         {
             // If the new store is not already being used by any other type, it'll need to be registered.
-            if ( !manager.identityStores.containsKey( configuration ) )
+            if ( !identityStores.containsKey( configuration ) )
             {
                 // This constructor can throw an exception. If it does, the state of the manager should not have already changed.
                 final IdentityStore store = new IdentityStore( configuration, true );
-                manager.identityStores.put( configuration, store );
+                identityStores.put( configuration, store );
             }
 
-            manager.typeToIdentityStore.put( type, configuration );
+            typeToIdentityStore.put( type, configuration );
 
 
             // If the old store is not used by any other type, it can be shut down.
-            if ( oldConfig != null && !manager.typeToIdentityStore.containsValue( oldConfig ) )
+            if ( oldConfig != null && !typeToIdentityStore.containsValue( oldConfig ) )
             {
-                manager.identityStores.remove( oldConfig );
+                identityStores.remove( oldConfig );
             }
 
             // Update all connection listeners that were using the old configuration.
@@ -137,7 +143,7 @@ public class CertificateStoreManager
         JiveGlobals.setProperty( type.getPrefix() + "keypass", new String( configuration.getPassword() ) );
     }
 
-    public static void replaceTrustStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
+    public void replaceTrustStore( ConnectionType type, CertificateStoreConfiguration configuration ) throws CertificateStoreConfigException
     {
         if ( type == null)
         {
@@ -148,27 +154,25 @@ public class CertificateStoreManager
             throw new IllegalArgumentException( "Argument 'configuration' cannot be null." );
         }
 
-        final CertificateStoreManager manager = getInstance();
-
-        final CertificateStoreConfiguration oldConfig = manager.typeToTrustStore.get( type ); // can be null if persisted properties are invalid
+        final CertificateStoreConfiguration oldConfig = typeToTrustStore.get( type ); // can be null if persisted properties are invalid
 
         if ( oldConfig == null || !oldConfig.equals( configuration ) )
         {
             // If the new store is not already being used by any other type, it'll need to be registered.
-            if ( !manager.trustStores.containsKey( configuration ) )
+            if ( !trustStores.containsKey( configuration ) )
             {
                 // This constructor can throw an exception. If it does, the state of the manager should not have already changed.
                 final TrustStore store = new TrustStore( configuration, true );
-                manager.trustStores.put( configuration, store );
+                trustStores.put( configuration, store );
             }
 
-            manager.typeToTrustStore.put( type, configuration );
+            typeToTrustStore.put( type, configuration );
 
 
             // If the old store is not used by any other type, it can be shut down.
-            if ( oldConfig != null && !manager.typeToTrustStore.containsValue( oldConfig ) )
+            if ( oldConfig != null && !typeToTrustStore.containsValue( oldConfig ) )
             {
-                manager.trustStores.remove( oldConfig );
+                trustStores.remove( oldConfig );
             }
 
             // Update all connection listeners that were using the old configuration.
@@ -188,7 +192,7 @@ public class CertificateStoreManager
         JiveGlobals.setProperty( type.getPrefix() + "trustpass", new String( configuration.getPassword() )  );
     }
 
-    public static CertificateStoreConfiguration getIdentityStoreConfiguration( ConnectionType type ) throws IOException
+    public CertificateStoreConfiguration getIdentityStoreConfiguration( ConnectionType type ) throws IOException
     {
         // Getting individual properties might use fallbacks. It is assumed (but not asserted) that each property value
         // is obtained from the same connectionType (which is either the argument to this method, or one of its
@@ -201,7 +205,7 @@ public class CertificateStoreManager
         return new CertificateStoreConfiguration( keyStoreType, file, password.toCharArray() );
     }
 
-    public static CertificateStoreConfiguration getTrustStoreConfiguration( ConnectionType type ) throws IOException
+    public CertificateStoreConfiguration getTrustStoreConfiguration( ConnectionType type ) throws IOException
     {
         // Getting individual properties might use fallbacks. It is assumed (but not asserted) that each property value
         // is obtained from the same connectionType (which is either the argument to this method, or one of its

src/java/org/jivesoftware/openfire/net/SASLAuthentication.java

@@ -656,9 +656,10 @@ public class SASLAuthentication {
     }
 
     public static boolean verifyCertificates(Certificate[] chain, String hostname, boolean isS2S) {
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
         final ConnectionType connectionType = isS2S ? ConnectionType.SOCKET_S2S : ConnectionType.SOCKET_C2S;
-        final KeyStore keyStore   = CertificateStoreManager.getIdentityStore( connectionType ).getStore();
-        final KeyStore trustStore = CertificateStoreManager.getTrustStore( connectionType ).getStore();
+        final KeyStore keyStore   = certificateStoreManager.getIdentityStore( connectionType ).getStore();
+        final KeyStore trustStore = certificateStoreManager.getTrustStore( connectionType ).getStore();
         final X509Certificate trusted = CertificateManager.getEndEntityCertificate( chain, keyStore, trustStore );
         if (trusted != null) {
             return verifyCertificate(trusted, hostname);

src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java

@@ -34,6 +34,7 @@ import org.dom4j.io.XMPPPacketReader;
 import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.SessionManager;
 import org.jivesoftware.openfire.StreamID;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.keystore.CertificateStoreManager;
 import org.jivesoftware.openfire.net.SASLAuthentication;
@@ -153,7 +154,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
 	                            Connection.TLSPolicy.required;
 	            boolean hasCertificates = false;
 	            try {
-	                hasCertificates = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;
+	                hasCertificates = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;
 	            }
 	            catch (Exception e) {
 	                Log.error(e.getMessage(), e);
@@ -374,7 +375,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
         	usingSelfSigned = true;
         } else {
         	try {
-                final KeyStore keyStore = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_S2S ).getStore();
+                final KeyStore keyStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore();
 				usingSelfSigned = CertificateManager.isSelfSignedCertificate(keyStore, (X509Certificate) chain[0]);
 			} catch (KeyStoreException ex) {
 				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);

src/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java

@@ -3,6 +3,7 @@ package org.jivesoftware.openfire.spi;
 import org.apache.mina.filter.ssl.SslFilter;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.jivesoftware.openfire.Connection;
+import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -375,8 +376,9 @@ public class ConnectionConfiguration
         this.cipherSuitesEnabled = Collections.unmodifiableSet( suitesEnabled );
         this.cipherSuitesDisabled = Collections.unmodifiableSet( cipherSuitesDisabled );
 
-        this.identityStore = CertificateStoreManager.getIdentityStore( type );
-        this.trustStore = CertificateStoreManager.getTrustStore( type );
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
+        this.identityStore = certificateStoreManager.getIdentityStore( type );
+        this.trustStore = certificateStoreManager.getTrustStore( type );
 
         this.Log = LoggerFactory.getLogger( this.getClass().getName() + "["+port+"-"+type+"]" );
     }

src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java

@@ -85,6 +85,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
             Log.warn( "Unable to resolve bind address: ", e );
         }
 
+        final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
+        
         // client-to-server
         clientListener = new ConnectionListener(
                 ConnectionType.SOCKET_C2S,
@@ -96,8 +98,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 ConnectionSettings.Client.TLS_POLICY,
                 ConnectionSettings.Client.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
         );
         clientSslListener = new ConnectionListener(
                 ConnectionType.SOCKET_C2S,
@@ -109,8 +111,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                 ConnectionSettings.Client.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_C2S ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_C2S )
         );
         // BOSH / HTTP-bind
         boshListener = new ConnectionListener(
@@ -123,8 +125,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.disabled.name(), // StartTLS over HTTP? Should use boshSslListener instead.
                 HttpBindManager.HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
         );
         boshSslListener = new ConnectionListener(
                 ConnectionType.BOSH_C2S,
@@ -136,8 +138,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.legacyMode.name(),
                 HttpBindManager.HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.BOSH_C2S ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.BOSH_C2S )
         );
         // server-to-server (federation)
         serverListener = new ConnectionListener(
@@ -150,8 +152,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 ConnectionSettings.Server.TLS_POLICY,
                 ConnectionSettings.Server.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_S2S ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_S2S )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.SOCKET_S2S ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.SOCKET_S2S )
         );
         // external components (XEP 0114)
         componentListener = new ConnectionListener(
@@ -164,8 +166,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 ConnectionSettings.Component.TLS_POLICY,
                 ConnectionSettings.Component.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
         );
         componentSslListener = new ConnectionListener(
                 ConnectionType.COMPONENT,
@@ -177,8 +179,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                 ConnectionSettings.Component.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.COMPONENT ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.COMPONENT )
         );
 
         // Multiplexers (our propertietary connection manager implementation)
@@ -192,8 +194,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 ConnectionSettings.Multiplex.TLS_POLICY,
                 ConnectionSettings.Multiplex.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
         );
         connectionManagerSslListener = new ConnectionListener(
                 ConnectionType.CONNECTION_MANAGER,
@@ -205,8 +207,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.legacyMode.name(), // force legacy mode
                 ConnectionSettings.Multiplex.AUTH_PER_CLIENTCERT_POLICY,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.CONNECTION_MANAGER ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.CONNECTION_MANAGER )
         );
 
         // Admin console (the Openfire web-admin) // TODO these use the XML properties instead of normal properties!
@@ -220,8 +222,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.disabled.name(), // StartTLS over HTTP? Should use webAdminSslListener instead.
                 null,
                 bindAddress,
-            CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
-            CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
         );
 
         webAdminSslListener = new ConnectionListener(
@@ -234,8 +236,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                 Connection.TLSPolicy.legacyMode.name(),
                 null,
                 bindAddress,
-                CertificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
-                CertificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
+                certificateStoreManager.getIdentityStoreConfiguration( ConnectionType.WEBADMIN ),
+                certificateStoreManager.getTrustStoreConfiguration( ConnectionType.WEBADMIN )
         );
 
     }

src/resources/jar/admin-sidebar.xml

@@ -141,28 +141,99 @@
                   url="security-certificate-store-management.jsp"
                   description="Manage Openfire Certificate stores">
 
+                <sidebar id="sidebar-certificate-store-socket-c2s" name="${sidebar.client-connections-settings}">
+
+                    <item id="sidebar-certificate-store-SOCKET_C2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=SOCKET_C2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-SOCKET_C2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=SOCKET_C2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
+
+                <sidebar id="sidebar-certificate-store-socket-s2s" name="${sidebar.server2server-settings}">
+
+                    <item id="sidebar-certificate-store-SOCKET_S2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=SOCKET_S2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-SOCKET_S2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=SOCKET_S2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
+
+                <sidebar id="sidebar-certificate-store-bosh-c2s" name="${sidebar.http-bind}">
+
+                    <item id="sidebar-certificate-store-BOSH_C2S-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=BOSH_C2S"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-BOSH_C2S-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=BOSH_C2S"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
+
+                <sidebar id="sidebar-certificate-store-component" name="${sidebar.external-components-settings}">
+
+                    <item id="sidebar-certificate-store-COMPONENT-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=COMPONENT"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-COMPONENT-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=COMPONENT"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
+
+                <sidebar id="sidebar-certificate-store-connection-manager" name="${sidebar.connection-managers-settings}">
+
+                    <item id="sidebar-certificate-store-CONNECTION_MANAGER-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=CONNECTION_MANAGER"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-CONNECTION_MANAGER-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=CONNECTION_MANAGER"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
+
+                <sidebar id="sidebar-certificate-store-webadmin" name="${admin.console}">
+
+                    <item id="sidebar-certificate-store-WEBADMIN-identity-store" name="Identity Store"
+                          url="security-keystore.jsp?connectionType=WEBADMIN"
+                          description="Contains key and certificate that serve as identification of Openfire."/>
+
+                    <item id="sidebar-certificate-store-WEBADMIN-trust-store" name="Trust Store"
+                          url="security-truststore.jsp?connectionType=WEBADMIN"
+                          description="Contains certificates that are used to verify the identity of peers."/>
+
+                </sidebar>
                 <!--&lt;!&ndash; Certificate key stores ("Openfire Certificates") &ndash;&gt;-->
             <!--<item id="sidebar-certificates-keys" name="${sidebar.sidebar-certificates-keys}"-->
                     <!--url="security-keystore.jsp">-->
 
-                <sidebar id="sidebar-certificates-keys-submenu" name="${sidebar.sidebar-certificates-keys-submenu}">
+                <!--<sidebar id="sidebar-certificates-keys-submenu" name="${sidebar.sidebar-certificates-keys-submenu}">-->
 
-                    <!-- Socket Server Certificates -->
-                    <item id="security-keystore-socket" name="${sidebar.security-keystore-socket}"
-                          url="security-keystore.jsp?connectivityType=socket"
-                          description="${sidebar.security-keystore-socket.descr}"/>
+                    <!--&lt;!&ndash; Socket Server Certificates &ndash;&gt;-->
+                    <!--<item id="security-keystore-socket" name="${sidebar.security-keystore-socket}"-->
+                          <!--url="security-keystore.jsp?connectivityType=socket"-->
+                          <!--description="${sidebar.security-keystore-socket.descr}"/>-->
 
-                    <!-- BOSH Server Certificates -->
-                    <item id="security-keystore-bosh" name="${sidebar.security-keystore-bosh}"
-                          url="security-keystore.jsp?connectivityType=bosh"
-                          description="${sidebar.security-keystore-bosh.descr}"/>
+                    <!--&lt;!&ndash; BOSH Server Certificates &ndash;&gt;-->
+                    <!--<item id="security-keystore-bosh" name="${sidebar.security-keystore-bosh}"-->
+                          <!--url="security-keystore.jsp?connectivityType=bosh"-->
+                          <!--description="${sidebar.security-keystore-bosh.descr}"/>-->
 
-                    <!-- Administrative Server Certificates -->
-                    <item id="security-keystore-administrative" name="${sidebar.security-keystore-administrative}"
-                          url="security-keystore.jsp?connectivityType=administrative"
-                          description="${sidebar.security-keystore-administrative.descr}"/>
+                    <!--&lt;!&ndash; Administrative Server Certificates &ndash;&gt;-->
+                    <!--<item id="security-keystore-administrative" name="${sidebar.security-keystore-administrative}"-->
+                          <!--url="security-keystore.jsp?connectivityType=administrative"-->
+                          <!--description="${sidebar.security-keystore-administrative.descr}"/>-->
 
-                </sidebar>
+                <!--</sidebar>-->
 
             </item>
 

src/web/import-keystore-certificate.jsp

 <%@ page errorPage="error.jsp" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
@@ -42,7 +41,7 @@
         }
         if (errors.isEmpty()) {
             try {
-                final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( storeConnectionType );
+                final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( storeConnectionType );
 
                 // Create an alias for the signed certificate
                 String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();

src/web/import-truststore-certificate.jsp

 <%@ page errorPage="error.jsp"%>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -33,7 +33,7 @@
 
     if (save && errors.isEmpty())
     {
-        final TrustStore trustStoreConfig = CertificateStoreManager.getTrustStore( storeConnectionType );
+        final TrustStore trustStoreConfig = XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( storeConnectionType );
 
         if (alias == null || "".equals(alias))
         {

src/web/index.jsp

@@ -32,7 +32,6 @@
 <%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
 <%@ page import="org.jivesoftware.openfire.filetransfer.proxy.FileTransferProxy" %>
 <%@ page import="org.jivesoftware.openfire.http.HttpBindManager" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionListener" %>
@@ -243,7 +242,7 @@
                     <fmt:message key="index.server_name" />
                 </td>
                 <td class="c2">
-                    <% final IdentityStore identityStore = CertificateStoreManager.getIdentityStore( ConnectionType.SOCKET_C2S ); %>
+                    <% final IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_C2S ); %>
                     <% try { %>
                     <% if (!identityStore.containsDomainCertificate( "RSA" )) {%>
                     <img src="images/warning-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="index.certificate-warning" />" title="<fmt:message key="index.certificate-warning" />">&nbsp;

src/web/security-certificate-details.jsp

@@ -9,6 +9,7 @@
 <%@ page import="java.security.cert.X509Certificate" %>
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -43,11 +44,12 @@
     {
         try
         {
+            final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
             final CertificateStore store;
             if (isTrustStore) {
-                store = CertificateStoreManager.getTrustStore( storeConnectionType );
+                store = certificateStoreManager.getTrustStore( storeConnectionType );
             } else {
-                store = CertificateStoreManager.getIdentityStore( storeConnectionType );
+                store = certificateStoreManager.getIdentityStore( storeConnectionType );
             }
 
             // Get the certificate

src/web/security-certificate-store-management.jsp

 <%@ page errorPage="error.jsp"%>
->
-<%@ page import="java.util.HashMap" %>
+<%@ page import="org.jivesoftware.util.ParamUtils" %>
 <%@ page import="java.util.Map" %>
-
+<%@ page import="java.util.HashMap" %>
+<%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
+<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
 
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
-<%  webManager.init( request, response, session, application, out );
+<jsp:useBean id="now" class="java.util.Date"/>
+<%  webManager.init(request, response, session, application, out );
 
-    // Read parameters
-    final boolean save                       = request.getParameter("save") != null;
-    // TODO actually save something!
-
-    // Pre-update property values
     final Map<String, String> errors = new HashMap<>();
-
     pageContext.setAttribute( "errors", errors );
+    pageContext.setAttribute( "connectionTypes", ConnectionType.values() );
+    pageContext.setAttribute( "certificateStoreManager", XMPPServer.getInstance().getCertificateStoreManager());
 %>
-
 <html>
 <head>
     <title>Certificate Stores</title>
     <meta name="pageID" content="security-certificate-store-management"/>
 </head>
-<>
 
 <c:forEach var="err" items="${errors}">
     <admin:infobox type="error">
+        <c:choose>
+            <!--Use the template below for specific error messages. -->
+            <c:when test="${err.key eq 'template'}">
+                An unexpected error occurred.
+            </c:when>
+            <c:otherwise>
                 <c:if test="${not empty err.value}">
                     <fmt:message key="admin.error"/>: <c:out value="${err.value}"/>
                 </c:if>
                 (<c:out value="${err.key}"/>)
+            </c:otherwise>
+        </c:choose>
     </admin:infobox>
 </c:forEach>
 
-<c:if test="${param.success}">
-    <admin:infobox type="success">Settings Updated Successfully</admin:infobox>
-</c:if>
-<c:if test="${param.noChange}">
-    <admin:infobox type="info">The provided settings were no different than before. Nothing changed.</admin:infobox>
-</c:if>
-
 <p>
     Certificates are used (through TLS and SSL protocols) to establish secure connections between servers and clients.
     When a secured connection is being created, parties can retrieve a certificate from the other party and (amongst
@@ -66,24 +64,17 @@
 <p>
     This section of the admin panel is dedicated to management of the various key and trust stores that act as
     repositories for sets of security certificates. By default, a small set of stores is re-used for various purposes,
-    but Openfire allows you to configure a distinct set of stores for each type. To do so, please change the store
-    locations below.
+    but Openfire allows you to configure a distinct set of stores for each connection type.
 </p>
 
-<form action="security-certificate-store-management.jsp" method="post">
+<c:forEach items="${connectionTypes}" var="connectionType">
 
-    <div class="jive-contentBoxHeader">
-        Regular XMPP connection Stores
-    </div>
-    <div class="jive-contentBox">
+    <c:set var="trustStore" value="${certificateStoreManager.
+    <admin:contentBox title="XMPP Client Connection Stores">
         <p>
-            These stores are used for regular, TCP-based XMPP communication. Three stores are provided: one identity store
-            and two trust stores. One of the trust stores applies to server-to-server federation. The other trust store
-            applies to the optional client-based mutual authentication feature in Openfire.
-        </p>
-        <p>
-            Openfire ships with an empty client trust store, as in typical environments, certificate-based authentication of
-            clients is not required.
+            These stores are used for regular, TCP-based client-to-server XMPP communication. Two stores are provided:
+            one identity store and a trust store. Openfire ships with an empty client trust store, as in typical
+            environments, certificate-based authentication of clients is not required.
         </p>
 
         <table cellpadding="0" cellspacing="0" border="0">
@@ -91,21 +82,19 @@
             <tr>
                 <td><label for="loc-key-socket">Identity Store:</label></td>
                 <td><input id="loc-key-socket" name="loc-key-socket" type="text" size="40" value="${locKeySocket}"/></td>
-                    <td><a href="security-keystore.jsp?storeConnectionType=SOCKETBASED_IDENTITYSTORE">Manage Store Contents</a></td>
-                </tr>
-                <tr>
-                    <td><label for="loc-trust-socket-s2s">Server Trust Store:</label></td>
-                    <td><input id="loc-trust-socket-s2s" name="loc-trust-socket-s2s" type="text" size="40" value="${locTrustSocketS2S}"/></td>
-                    <td><a href="security-truststore.jsp?storeConnectionType=SOCKETBASED_S2S_TRUSTSTORE">Manage Store Contents</a></td>
+                <td><a href="security-keystore.jsp?connectionType=${connectionType}">Manage Store Contents</a></td>
             </tr>
             <tr>
-                    <td><label for="loc-trust-socket-c2s">Client Trust Store:</label></td>
+                <td><label for="loc-trust-socket-c2s">Trust Store:</label></td>
                 <td><input id="loc-trust-socket-c2s" name="loc-trust-socket-c2s" type="text" size="40" value="${locTrustSocketC2S}"/></td>
-                    <td><a href="security-truststore.jsp?storeConnectionType=SOCKETBASED_C2S_TRUSTSTORE">Manage Store Contents</a></td>
+                <td><a href="security-truststore.jsp?storeConnectionType=${connectionType}">Manage Store Contents</a></td>
             </tr>
             </tbody>
         </table>
-    </div>
+
+    </admin:contentBox>
+
+</c:forEach>
 
     <div class="jive-contentBoxHeader">
         BOSH (HTTP Binding) connection Stores
@@ -188,8 +177,8 @@
         </table>
     </div>
 
-    <!-- TODO enable me <input type="submit" name="save" value="<fmt:message key="global.save_settings" />"> -->
 </form>
+-->
 
 </body>
 </html>

src/web/security-keystore.jsp

@@ -2,7 +2,6 @@
 
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager" %>
 <%@ page import="org.jivesoftware.openfire.keystore.IdentityStore" %>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
@@ -15,6 +14,7 @@
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
 
 <jsp:useBean id="now" class="java.util.Date"/>
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager"/>
@@ -25,16 +25,16 @@
     final boolean delete            = ParamUtils.getBooleanParameter(request, "delete");
     final boolean importReply       = ParamUtils.getBooleanParameter(request, "importReply");
     final String alias              = ParamUtils.getParameter( request, "alias" );
-    final String storePurposeText = ParamUtils.getParameter( request, "storeConnectionType" );
+    final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
-    final Map<String, String> errors = new HashMap<String, String>();
+    final Map<String, String> errors = new HashMap<>();
 
-    ConnectionType storeConnectionType = null;
+    ConnectionType connectionType = null;
     IdentityStore identityStore = null;
     try
     {
-        storeConnectionType = ConnectionType.valueOf( storePurposeText );
-        identityStore = CertificateStoreManager.getIdentityStore( storeConnectionType );
+        connectionType = ConnectionType.valueOf( connectionTypeText );
+        identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( connectionType );
         if ( identityStore == null )
         {
             errors.put( "identityStore", "Unable to get an instance." );
@@ -42,15 +42,15 @@
     }
     catch (RuntimeException ex)
     {
-        errors.put( "storeConnectionType", ex.getMessage() );
+        errors.put( "connectionType", ex.getMessage() );
     }
 
     if ( errors.isEmpty() )
     {
-        pageContext.setAttribute( "storeConnectionType", storeConnectionType );
+        pageContext.setAttribute( "connectionType", connectionType );
         pageContext.setAttribute( "identityStore", identityStore );
 
-        final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storeConnectionType );
+        final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( connectionType );
         pageContext.setAttribute( "sameStoreConnectionTypes", sameStoreConnectionTypes );
 
         final Map<String, X509Certificate> certificates = identityStore.getAllCertificates();
@@ -72,8 +72,8 @@
                     identityStore.delete( alias );
 
                     // Log the event
-                    webManager.logEvent( "deleted SSL cert from " + storePurposeText + " with alias " + alias, null );
-                    response.sendRedirect( "security-keystore.jsp?storeConnectionType=" + storePurposeText + "&deletesuccess=true" );
+                    webManager.logEvent( "deleted SSL cert from " + connectionType + " with alias " + alias, null );
+                    response.sendRedirect( "security-keystore.jsp?connectionType=" + connectionType+ "&deletesuccess=true" );
                     return;
                 }
                 catch ( Exception e )
@@ -141,13 +141,13 @@
 <html>
     <head>
         <title><fmt:message key="ssl.certificates.keystore.title"/></title>
-        <meta name="pageID" content="security-keystore"/>
+        <meta name="subPageID" content="sidebar-certificate-store-${fn:toLowerCase(connectionType)}-identity-store"/>
     </head>
     <body>
         <c:if test="${restartNeeded}">
             <admin:infobox type="warning">
                 <fmt:message key="ssl.certificates.keystore.restart_server">
-                    <fmt:param value="<a href='server-restart.jsp?page=security-keystore.jsp&storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='server-restart.jsp?page=security-keystore.jsp&connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
                 </fmt:message>
             </admin:infobox>
@@ -175,9 +175,9 @@
         <c:if test="${not validDSACert or not validRSACert}">
             <admin:infobox type="warning">
                 <fmt:message key="ssl.certificates.keystore.no_installed">
-                    <fmt:param value="<a href='security-keystore.jsp?generate=true&storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='security-keystore.jsp?generate=true&connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
-                    <fmt:param value="<a href='import-keystore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
                 </fmt:message>
             </admin:infobox>
@@ -200,7 +200,7 @@
 
         <p>
             <fmt:message key="ssl.certificates.keystore.info">
-                <fmt:param value="<a href='import-keystore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                <fmt:param value="<a href='import-keystore-certificate.jsp?connectionType=${connectionType}'>"/>
                 <fmt:param value="</a>"/>
             </fmt:message>
         </p>
@@ -274,7 +274,7 @@
                             %>
                             <tr valign="top">
                                 <td>
-                                    <a href="security-certificate-details.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
+                                    <a href="security-certificate-details.jsp?connectionType=${connectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
                                         <c:forEach items="${identities}" var="currentItem" varStatus="stat">
                                             <c:out value="${stat.first ? '' : ','} ${currentItem}"/>
                                         </c:forEach>
@@ -326,7 +326,7 @@
                                     <c:out value="${certificate.publicKey.algorithm}"/>
                                 </td>
                                 <td width="1" align="center">
-                                    <a href="security-keystore.jsp?alias=${alias}&storeConnectionType=${storeConnectionType}&delete=true"
+                                    <a href="security-keystore.jsp?alias=${alias}&connectionType=${connectionType}&delete=true"
                                        title="<fmt:message key="global.click_delete"/>"
                                        onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                             ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>

src/web/security-truststore.jsp

 <%@ page errorPage="error.jsp"%>
-<%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreManager"%>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStore"%>
 <%@ page import="org.jivesoftware.openfire.spi.ConnectionType"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
@@ -8,6 +7,7 @@
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.Set" %>
 <%@ page import="java.security.cert.X509Certificate" %>
+<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -20,29 +20,29 @@
     final boolean delete          = ParamUtils.getBooleanParameter( request, "delete" );
     final String alias            = ParamUtils.getParameter( request, "alias" );
 
-    final String storePurposeText = ParamUtils.getParameter(request, "storeConnectionType");
+    final String connectionTypeText = ParamUtils.getParameter( request, "connectionType" );
 
     final Map<String, String> errors = new HashMap<>();
 
-    ConnectionType storeConnectionType = null;
+    ConnectionType connectionType = null;
     TrustStore trustStore = null;
     try
     {
-        storeConnectionType = ConnectionType.valueOf( storePurposeText );
-        trustStore = CertificateStoreManager.getTrustStore( storeConnectionType );
+        connectionType = ConnectionType.valueOf( connectionTypeText );
+        trustStore = XMPPServer.getInstance().getCertificateStoreManager().getTrustStore( connectionType );
         if ( trustStore == null )
         {
             errors.put( "trustStore", "Unable to get an instance." );
         }
     }
-    catch (RuntimeException ex)
+    catch ( RuntimeException ex )
     {
-        errors.put( "storeConnectionType", ex.getMessage() );
+        errors.put( "connectionType", ex.getMessage() );
     }
 
     if ( errors.isEmpty() )
     {
-        pageContext.setAttribute( "storeConnectionType", storeConnectionType );
+        pageContext.setAttribute( "connectionType", connectionType );
         pageContext.setAttribute( "trustStore", trustStore );
 
         final Set<ConnectionType> sameStoreConnectionTypes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storeConnectionType );
@@ -64,8 +64,8 @@
                     trustStore.delete( alias );
 
                     // Log the event
-                    webManager.logEvent( "deleted SSL cert from " + storePurposeText + " with alias " + alias, null );
-                    response.sendRedirect( "security-truststore.jsp?storeConnectionType=" + storePurposeText + "&deletesuccess=true" );
+                    webManager.logEvent( "deleted SSL cert from " + connectionType + " with alias " + alias, null );
+                    response.sendRedirect( "security-keystore.jsp?connectionType=" + connectionType+ "&deletesuccess=true" );
                     return;
                 }
                 catch ( Exception e )
@@ -81,7 +81,7 @@
 
 <html>
     <head>
-        <title><fmt:message key="certificate-management.connectionType.${storeConnectionType}.title"/></title>
+        <title><fmt:message key="certificate-management.connectionType.${connectionType}.title"/></title>
         <meta name="pageID" content="security-truststore"/>
         <style>
             .info-header {
@@ -133,9 +133,9 @@
             <admin:infobox type="success"><fmt:message key="ssl.certificates.added_updated"/></admin:infobox>
         </c:if>
 
-        <c:if test="${storeConnectionType != null}">
+        <c:if test="${connectionType != null}">
             <p>
-                <fmt:message key="certificate-management.connectionType.${storeConnectionType}.description"/>
+                <fmt:message key="certificate-management.connectionType.${connectionType}.description"/>
             </p>
 
             <table border="0" width="100%">
@@ -177,7 +177,7 @@
 
             <p>
                 <fmt:message key="ssl.certificates.truststore.link-to-import">
-                    <fmt:param value="<a href='import-truststore-certificate.jsp?storeConnectionType=${storeConnectionType}'>"/>
+                    <fmt:param value="<a href='import-truststore-certificate.jsp?connectionType=${connectionType}'>"/>
                     <fmt:param value="</a>"/>
                 </fmt:message>
             </p>
@@ -230,7 +230,7 @@
 
                                 <tr valign="top">
                                     <td>
-                                        <a href="security-certificate-details.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
+                                        <a href="security-certificate-details.jsp?connectionType=${connectionType}&alias=${alias}" title="<fmt:message key='session.row.cliked'/>">
                                             <c:choose>
                                                 <c:when test="${empty fn:trim(organization)}">
                                                     <c:out value="${commonname}"/>
@@ -264,7 +264,7 @@
                                         <c:out value="${certificate.publicKey.algorithm}"/>
                                     </td>
                                     <td width="1" align="center">
-                                        <a href="security-truststore.jsp?storeConnectionType=${storeConnectionType}&alias=${alias}&delete=true"
+                                        <a href="security-truststore.jsp?connectionType=${connectionType}&alias=${alias}&delete=true"
                                            title="<fmt:message key="global.click_delete"/>"
                                            onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete"/>');"
                                                 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>