Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1605

Allow wildcards in self-signed cert generation

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.3.0
    • Component/s: TLS
    • Labels:
      None

      Description

      When Openfire generates a self-signed certificate, it attempts to include all server identities as subject alternative name (SAN) entries. This can lead to a self-signed certificate that has many SANs.

      Most SANs that are added in this way are direct subdomains of the XMPP domain (eg: pubsub.example.org / example.org).

      Multiple SAN entries on the same domain level should be replaced by a wildcard. This would reduce the number of entries (making it cheaper to get a corresponding CSR to be signed by some CAs), while at the same time also be more future-proof: if at one time after certificate generation, a new component is added to the server, its name would likely be automatically covered by the wildcard.

      Usage of a wildcard should be configurable (using the cert.wildcard property).

        Attachments

          Activity

            People

            Assignee:
            guus Guus der Kinderen
            Reporter:
            guus Guus der Kinderen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: