Openfire's certificate handling routines have various unit tests, that verify basic functionality. Learnings from the Spark project indicate that more things should be checked (and possibly, fixed).
At the very least, Openfire should have additional tests for the 'revocation' mechanism, including both CRL as well as OCSP.
Note that Openfire's CRL makes use of a local file that acts as the CRL store. That functionality should be tested, although the functionality should probably be expanded to include using CRLs as provided by third parties ().
Note that these tests should cover various types of connectivity (eg: client-to-server, server-to-server)