[Operators] Obtaining XMPP-enabled certificate for server

Dave Cridland dave at cridland.net
Wed Jul 20 08:22:08 UTC 2016


On 20 July 2016 at 08:58, Florian Schmaus <flo at geekplace.eu> wrote:

> For the near future, I hope that certificates using only srvNames will
> become more common. But if you want to stay super "compatible" with all
> sorts of XMPP software out there, then you probably want to put your
> XMPP domain in the CN too. Which comes with the drawback that the cert
> can be used for all services under that domain.
>

Only for legacy apps.

If a SAN exists, CNs should be ignored.

If a service-specific SAN exists, non-service-specific SANs should be
ignored, though that's even rarer.

Maybe we should have another interop day to figure out how observed these
rules are?

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160720/941c5961/attachment.html>


More information about the Operators mailing list