Am Tue, 19 Jul 2016 16:15:40 +0200 schrieb Florian Schmaus <f...@geekplace.eu>: > Isn't one problem that a cert with CN "example.org" will be valid for > all services found on example.org (simply speaking), whereas when > using SRV-ID restricts the cert to a particular service?
I have always wondered about which domains should actually be included into a TLS certificate for use in XMPP services once an SRV record is in place. Do I need a certificate which covers xmpp.example.com? Or does one for example.com suffice, given that that's what is actually part of the JIDs? Or do I even need one that covers _xmpp-server._tcp.example.com and _xmpp-client._tcp.example.com? A combination of these three? If any more than one of these is required, this rules out simple certs only covering a CN, at least one SAN is required. Ideas, anyone? Is there a documentation of the actual practise? Greetings Marvin -- Blog: http://www.guelkerdev.de PGP/GPG ID: F1D8799FBCC8BC4F
