Bug: Openfire do not present correct certificate for web administration tool when using multiple certificates

Hi community.

I currently have 2 server setup on 2 different server nodes on 2 different domains.

My current task is to make a default DNS alias to the administratino tool and have a correct certificate for that alias.

My 2 servers are named Blue and Red as is there DNS names

The alias i want to use is “https://admin.blue.se:9091” and “https://admin.red.se:9091

I have 2 sets of certificates generated for these servers.

The first set is for the aliases “blue.se” and the other set is for " *.blue.se" and the same goes for “red.se” and " *.red.se", i should state that i require both for SSO and all other functions to work propertly i cannot remove any of those sets of certificates.

When i then try to connect to the admin pages using the aliases stated above i get different result on the servers.

On the blue i cannot get a valid certificate when i surf to “https://admin.blue.se:9091” but i get a valid when i try the normal “https://blue.se:9091

The total oposite happens on the Red server, where “https://admin.red.se:9091” is working and “https://red.se:9091” gives an error that the certificate is invalid for this address.

I have however narrowed the problem down to this.

In the Server certificate page all certificates are listed from 1 to X, in my case 4, On the blue server i first have the " *.blue.se" and following “blue.se”, on the red i have the oposite order, “red.se” and then " *.red.se"

It looks to me that openfire sends the last certificate it finds to the webbrowser and not checking if it got any valid certificate in the entire keystore.

One solution i thought of is to have the same exact order i generate and install the certificates and i allready do have them so i cannot control in what order the certificates is stored in the keystore from what i currently know. I could ofc remove remove one set of certificate and then regenerate it, so it will come in the right place from the start but that is not an option as require it to work on installation/deployment of a server and not have to do any manual steps to make this work propertly.