Allow wildcards in self-signed cert generation


When Openfire generates a self-signed certificate, it attempts to include all server identities as subject alternative name (SAN) entries. This can lead to a self-signed certificate that has many SANs.

Most SANs that are added in this way are direct subdomains of the XMPP domain (eg: /

Multiple SAN entries on the same domain level should be replaced by a wildcard. This would reduce the number of entries (making it cheaper to get a corresponding CSR to be signed by some CAs), while at the same time also be more future-proof: if at one time after certificate generation, a new component is added to the server, its name would likely be automatically covered by the wildcard.

Usage of a wildcard should be configurable (using the cert.wildcard property).




Guus der Kinderen


Guus der Kinderen