XMPP Server Certificates

From XMPP WIKI
Jump to navigation Jump to search

This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 6120 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the XMPP ICA and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service).

oid_section             = new_oids

[ new_oids ]

# RFC 6120 section 13.7.1.4 defines this OID

xmppAddr = 1.3.6.1.5.5.7.8.5

[ req ]

default_bits            = 1024
default_keyfile         = dotat.key
distinguished_name      = distinguished_name
req_extensions          = v3_extensions
x509_extensions         = v3_extensions

# don't ask about the DN
prompt = no

[ distinguished_name ]

countryName                     = GB
stateOrProvinceName             = England
localityName                    = Cambridge
organizationName                = dotat labs

commonName                      = dotat.at

[ v3_extensions ]

# for certificate requests (req_extensions)
# and self-signed certificates (x509_extensions)

basicConstraints                = CA:FALSE
keyUsage                        = digitalSignature,keyEncipherment
subjectAltName                  = @subject_alternative_name

[ subject_alternative_name ]

DNS.0                             = dotat.at
otherName.0                       = xmppAddr;UTF8:dotat.at

Append the following for a server which handles multiple domain names:

DNS.1                             = domain.tld
otherName.1                       = xmppAddr;UTF8:domain.tld

Thanks to Tony Finch for the information.