[Operators] Obtaining XMPP-enabled certificate for server

Marvin Gülker m-guelker at phoenixmail.de
Tue Jul 19 16:36:01 UTC 2016

Am Tue, 19 Jul 2016 16:15:40 +0200
schrieb Florian Schmaus <flo at geekplace.eu>:
> Isn't one problem that a cert with CN "example.org" will be valid for
> all services found on example.org (simply speaking), whereas when
> using SRV-ID restricts the cert to a particular service?

I have always wondered about which domains should actually be included
into a TLS certificate for use in XMPP services once an SRV record is
in place. Do I need a certificate which covers xmpp.example.com? Or
does one for example.com suffice, given that that's what is actually
part of the JIDs? Or do I even need one that covers
_xmpp-server._tcp.example.com and _xmpp-client._tcp.example.com? A
combination of these three?

If any more than one of these is required, this rules out simple certs
only covering a CN, at least one SAN is required.

Ideas, anyone? Is there a documentation of the actual practise?


Blog: http://www.guelkerdev.de

More information about the Operators mailing list