Generation of self-signed certs doesn't include SANs
Openfire allows an administrator to replace certificates in the identity store with a new keypair and certificate that is self-signed.
The self-signed certificate should have subject alternative names for all XMPP identities of the server (typically including conference.example.org and pubsub.example.org, but does not.
This issue is most notable when clicking on the first 'here' in the link on the TLS admin console page that reads:
A certificate for the domain of this server is missing. Click here to generate a self-signed certificate or here to import a signed certificate and its private key.
You'd expect that message to go away after clicking on that link, but it does not.