SSL Certificates for XMPP

Over the last few months, I have been slowly switching all my hostnames and service names from using my personal domain name “” to another domain I have.

This is mainly because I am sharing some of the services I run with other people, and also because… well… I don’t like having my name in hostnames to be honest! 🙂

Today I finally got around to updating my Jabber/XMPP server.

In the process, I had to update the SSL certificate.

Quite some time ago, a friend of mine actually told me that I’ve created the certificate for my XMPP server incorrectly when using a single server to serve multiple domains.

For this, you are actually supposed to have a few extra attributes in the certificate.

To add these records, create a file called “xmpp.cnf” with the following contents:
HOME = .

oid_section = new_oids

[ new_oids ]
xmppAddr =
SRVName =

[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = distinguished_name
req_extensions = v3_extensions
x509_extensions = v3_extensions
prompt = no

[ distinguished_name ]

# This is just your standard stuff!
countryName = GB
stateOrProvinceName = England
localityName = Cambridge
organizationName =
organizationalUnitName = XMPP Services
emailAddress = [email protected]

# Hostname of the XMPP server.
commonName =

[ v3_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment
subjectAltName = @subject_alternative_name

[ subject_alternative_name ]

# Do this for each of your domains
DNS.1 =
otherName.0 = xmppAddr;FORMAT:UTF8,
otherName.1 = SRVName;
otherName.2 = SRVName;

DNS.2 =
otherName.3 = xmppAddr;FORMAT:UTF8,
otherName.4 = SRVName;
otherName.5 = SRVName;

DNS.3 =
otherName.6 = xmppAddr;FORMAT:UTF8,
otherName.7 = SRVName;
otherName.8 = SRVName;

Then you just continue the “certificate request” creation as normal specifying the configuration file on the command line:

# Create the private key
openssl genrsa -des3 -out 4096

# Create the certificate request:
openssl req -config xmpp.cnf -new -key -out

That’s all!

Now you can either use the CSR to request a certificate from or anywhere else, or you could self-sign it and point your XMPP server at your shiny new certificate!