[Operators] domain hosting and certificates

Jesse Thompson jesse.thompson at doit.wisc.edu
Tue Mar 4 06:58:29 CST 2008

now for a less controversial topic...

Is there anyone on this list who hosts XMPP domains and has figured out 
a good way to manage client/federation certificates?  We host 16 domains 
currently, and could have up to 300 domains depending on how many of our 
email customers sign up for chat.  Many of these domains are subdomains 
of wisc.edu; many are not.

I've tried to get an XMPP ICA wildcard certificate to work for wisc.edu 
and subdomain.wisc.edu, but it looks like the clients (Psi and Adium) 
don't treat it as valid.  I don't know if this is a bug with the 
client(s), the server (ejabberd), or the XMPP ICA.

Currently we use only one certificate for all client (5222/STARTTLS) and 
server connections, which is CA-signed, but mismatches all of our 
domains.  The leads to undesirable errors in clients and might lead to 
unexpected problems with federation.  I notice that Google uses a 
mismatched cert for Google Apps domains as well.

Hosting providers don't always own the domain, so you can't just request 
a signed certificate without authorization.  Delegation of certificate 
signing requests to the domain administrators would be ideal, but 
probably unreliable as well as costly in terms of development.

Even if we could easily obtain authorization to request signed 
certificates for every domain we host, management of hundreds of 
signed-certs would be a pain.

Some clients seem to handle self-signed certificates *better* than 
CA-signed certificates that don't match the domain.  If this is the 
case, maybe it would be better to create self-signed 10+ year certs?

Has anyone figured out a solution to this problem?


   Jesse Thompson
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080304/26587ae8/attachment.bin 

More information about the Operators mailing list