SSL Certificates for XMPP

Over the last few months, I have been slowly switching all my hostnames and service names from using my personal domain name “hamzahkhan.com” to another domain I have.

This is mainly because I am sharing some of the services I run with other people, and also because… well… I don’t like having my name in hostnames to be honest! 🙂

Today I finally got around to updating my Jabber/XMPP server.

In the process, I had to update the SSL certificate.

Quite some time ago, a friend of mine actually told me that I’ve created the certificate for my XMPP server incorrectly when using a single server to serve multiple domains.

For this, you are actually supposed to have a few extra attributes in the certificate.

To add these records, create a file called “xmpp.cnf” with the following contents:
HOME = .
RANDFILE = $ENV::HOME/.rnd

oid_section = new_oids

[ new_oids ]
xmppAddr = 1.3.6.1.5.5.7.8.5
SRVName = 1.3.6.1.5.5.7.8.7

[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = distinguished_name
req_extensions = v3_extensions
x509_extensions = v3_extensions
prompt = no

[ distinguished_name ]

# This is just your standard stuff!
countryName = GB
stateOrProvinceName = England
localityName = Cambridge
organizationName = G3nius.net
organizationalUnitName = XMPP Services
emailAddress = [email protected]

# Hostname of the XMPP server.
commonName = xmpp.g3nius.net

[ v3_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment
subjectAltName = @subject_alternative_name

[ subject_alternative_name ]

# Do this for each of your domains
DNS.1 = domain1.com
otherName.0 = xmppAddr;FORMAT:UTF8,UTF8:domain1.com
otherName.1 = SRVName;IA5STRING:_xmpp-client.domain1.com
otherName.2 = SRVName;IA5STRING:_xmpp-server.domain1.com

DNS.2 = domain2.com
otherName.3 = xmppAddr;FORMAT:UTF8,UTF8:domain2.com
otherName.4 = SRVName;IA5STRING:_xmpp-client.domain2.com
otherName.5 = SRVName;IA5STRING:_xmpp-server.domain2.com

DNS.3 = domain3.com
otherName.6 = xmppAddr;FORMAT:UTF8,UTF8:domain3.com
otherName.7 = SRVName;IA5STRING:_xmpp-client.domain3.com
otherName.8 = SRVName;IA5STRING:_xmpp-server.domain3.com

Then you just continue the “certificate request” creation as normal specifying the configuration file on the command line:

# Create the private key
openssl genrsa -des3 -out xmpp.g3nius.net.key 4096

# Create the certificate request:
openssl req -config xmpp.cnf -new -key xmpp.g3nius.net.key -out xmpp.g3nius.net.csr

That’s all!

Now you can either use the CSR to request a certificate from CACert.org or anywhere else, or you could self-sign it and point your XMPP server at your shiny new certificate!