[Operators] domain hosting and certificates
Jesse Thompson
jesse.thompson at doit.wisc.edu
Tue Mar 4 06:58:29 CST 2008
now for a less controversial topic...
Is there anyone on this list who hosts XMPP domains and has figured out
a good way to manage client/federation certificates? We host 16 domains
currently, and could have up to 300 domains depending on how many of our
email customers sign up for chat. Many of these domains are subdomains
of wisc.edu; many are not.
I've tried to get an XMPP ICA wildcard certificate to work for wisc.edu
and subdomain.wisc.edu, but it looks like the clients (Psi and Adium)
don't treat it as valid. I don't know if this is a bug with the
client(s), the server (ejabberd), or the XMPP ICA.
Currently we use only one certificate for all client (5222/STARTTLS) and
server connections, which is CA-signed, but mismatches all of our
domains. The leads to undesirable errors in clients and might lead to
unexpected problems with federation. I notice that Google uses a
mismatched cert for Google Apps domains as well.
Hosting providers don't always own the domain, so you can't just request
a signed certificate without authorization. Delegation of certificate
signing requests to the domain administrators would be ideal, but
probably unreliable as well as costly in terms of development.
Even if we could easily obtain authorization to request signed
certificates for every domain we host, management of hundreds of
signed-certs would be a pain.
Some clients seem to handle self-signed certificates *better* than
CA-signed certificates that don't match the domain. If this is the
case, maybe it would be better to create self-signed 10+ year certs?
Has anyone figured out a solution to this problem?
Jesse
--
Jesse Thompson
Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080304/26587ae8/attachment.bin
More information about the Operators
mailing list