When Openfire generates a self-signed certificate, it attempts to include all server identities as subject alternative name (SAN) entries. This can lead to a self-signed certificate that has many SANs.
Most SANs that are added in this way are direct subdomains of the XMPP domain (eg: pubsub.example.org / example.org).
Multiple SAN entries on the same domain level should be replaced by a wildcard. This would reduce the number of entries (making it cheaper to get a corresponding CSR to be signed by some CAs), while at the same time also be more future-proof: if at one time after certificate generation, a new component is added to the server, its name would likely be automatically covered by the wildcard.
Usage of a wildcard should be configurable (using the cert.wildcard property).