Difference between revisions of "XMPP Server Certificates"

From XMPP WIKI
Jump to navigation Jump to search
 
(Update RFC3910 to 6120)
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 3920 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the [http://www.xmpp.net/ XMPP ICA] and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service).
This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 6120 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the [http://xmpp.net/ XMPP ICA] and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service).


<pre>
<pre>
Line 6: Line 6:
[ new_oids ]
[ new_oids ]


# RFC 3920 section 5.1.1 defines this OID
# RFC 6120 section 13.7.1.4 defines this OID


xmppAddr = 1.3.6.1.5.5.7.8.5
xmppAddr = 1.3.6.1.5.5.7.8.5
Line 36: Line 36:


basicConstraints                = CA:FALSE
basicConstraints                = CA:FALSE
extendedKeyUsage                = serverAuth,clientAuth
keyUsage                        = digitalSignature,keyEncipherment
subjectAltName                  = @subject_alternative_name
subjectAltName                  = @subject_alternative_name


Revision as of 15:02, 29 April 2014

This page provides an example of an OpenSSL configuration file that appears to generate Certificate Signing Requests (CSRs) and self-signed certificates that conform to the format defined in RFC 6120 (note: you need OpenSSL 0.9.8 or newer). If you find errors on this page, please fix them! Naturally you can create a certificate at the XMPP ICA and ask the ICA to create the CSR for you, so this step is not strictly necessary (other CAs may offer a similar service). 

oid_section             = new_oids

[ new_oids ]

# RFC 6120 section 13.7.1.4 defines this OID

xmppAddr = 1.3.6.1.5.5.7.8.5

[ req ]

default_bits            = 1024
default_keyfile         = dotat.key
distinguished_name      = distinguished_name
req_extensions          = v3_extensions
x509_extensions         = v3_extensions

# don't ask about the DN
prompt = no

[ distinguished_name ]

countryName                     = GB
stateOrProvinceName             = England
localityName                    = Cambridge
organizationName                = dotat labs

commonName                      = dotat.at

[ v3_extensions ]

# for certificate requests (req_extensions)
# and self-signed certificates (x509_extensions)

basicConstraints                = CA:FALSE
keyUsage                        = digitalSignature,keyEncipherment
subjectAltName                  = @subject_alternative_name

[ subject_alternative_name ]

DNS.0                             = dotat.at
otherName.0                       = xmppAddr;UTF8:dotat.at

Append the following for a server which handles multiple domain names: 

DNS.1                             = example.org
otherName.1                       = xmppAddr;UTF8:example.org

Thanks to Tony Finch for the information.

Retrieved from "https://wiki.xmpp.org/web/index.php?title=XMPP_Server_Certificates&oldid=8360"