Use CRL as provided by CA
Certificates that are issued can be revoked at a later stage. One way to determine if an previously issued certificate is revoked, is to check various Certificate Revocation Lists (CRLs).
Openfire supports this mechanism, but seems to be limited to using a local file that contains the CRL.
Certificate Authorities provide online CRLs (their location is provided in their certificate). When such CRLs are available, Openfire should (also) use those.
Note that this should cover various types of connectivity (eg: client-to-server, server-to-server).