XMPP Server Certificates

This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 3920 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the XMPP ICA and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service).

oid_section            = new_oids

[ new_oids ]


 * 1) RFC 3920 section 5.1.1 defines this OID

xmppAddr = 1.3.6.1.5.5.7.8.5

[ req ]

default_bits           = 1024 default_keyfile        = dotat.key distinguished_name     = distinguished_name req_extensions         = v3_extensions x509_extensions        = v3_extensions

prompt = no
 * 1) don't ask about the DN

[ distinguished_name ]

countryName                    = GB stateOrProvinceName             = England localityName                   = Cambridge organizationName               = dotat labs

commonName                     = dotat.at

[ v3_extensions ]


 * 1) for certificate requests (req_extensions)
 * 2) and self-signed certificates (x509_extensions)

basicConstraints               = CA:FALSE extendedKeyUsage               = serverAuth,clientAuth subjectAltName                 = @subject_alternative_name

[ subject_alternative_name ]

DNS.0                            = dotat.at otherName.0                       = xmppAddr;UTF8:dotat.at Append the following for a server which handles multiple domain names: DNS.1                            = example.org otherName.1                      = xmppAddr;UTF8:example.org Thanks to Tony Finch for the information.