Difference between revisions of "XMPP Server Certificates"
Jump to navigation
Jump to search
Neustradamus (talk | contribs) m |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 3920 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the [http:// | This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 3920 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the [http://xmpp.net/ XMPP ICA] and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service). | ||
<pre> | <pre> | ||
Line 36: | Line 36: | ||
basicConstraints = CA:FALSE | basicConstraints = CA:FALSE | ||
keyUsage = digitalSignature,keyEncipherment | |||
subjectAltName = @subject_alternative_name | subjectAltName = @subject_alternative_name | ||
Revision as of 21:59, 27 January 2010
This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 3920 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the XMPP ICA and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service).
oid_section = new_oids [ new_oids ] # RFC 3920 section 5.1.1 defines this OID xmppAddr = 1.3.6.1.5.5.7.8.5 [ req ] default_bits = 1024 default_keyfile = dotat.key distinguished_name = distinguished_name req_extensions = v3_extensions x509_extensions = v3_extensions # don't ask about the DN prompt = no [ distinguished_name ] countryName = GB stateOrProvinceName = England localityName = Cambridge organizationName = dotat labs commonName = dotat.at [ v3_extensions ] # for certificate requests (req_extensions) # and self-signed certificates (x509_extensions) basicConstraints = CA:FALSE keyUsage = digitalSignature,keyEncipherment subjectAltName = @subject_alternative_name [ subject_alternative_name ] DNS.0 = dotat.at otherName.0 = xmppAddr;UTF8:dotat.at
Append the following for a server which handles multiple domain names:
DNS.1 = example.org otherName.1 = xmppAddr;UTF8:example.org
Thanks to Tony Finch for the information.