How to create XMPP certificate with Windows CA?

Openfire Openfire Support
1

I’m trying to create a “proper” XMPP certificate for my Openfire server using the Windows Certification Authority in the domain (Windows 2008 R2), but can’t figure out, how to do this.

Openfire server can generate self-signed certifcates (DSA + RSA), which include xmppAddr as Subject Alternative Name.

I found these sites explaining XMPP certificates:

https://roll.urown.net/ca/x509.html

XMPP Server Certificates - XMPP WIKI

Basically i need to add OID 1.3.6.1.5.5.7.8.5 to the certificate (this is the OID for xmppAddr).

``This is the method i tried to create a CA signed XMPP certificate, which would include the xmppAddr attribute:

  1. Create a new Web Server certificate template.
  2. Duplicate the built-in Web Server template:
<img alt="Web Server Duplicate.png" class="image-1 jive-image" height="316" src="https://discourse.igniterealtime.org/uploads/default/original/2X/5/5ec644d82b58cc313deafc12f5fc68b75769eff7.png" style="" width="575">
  1. Select Windows Server 2003 as minimum supported CA:
<img alt="Web Server Duplicate_Win2003.png" class="image-2 jive-image" height="256" src="https://discourse.igniterealtime.org/uploads/default/original/2X/e/e96828f3ac39f2c5a0f293706c5fc77add6fca4a.png" style="" width="406">
  1. Set the template name and change the validity period:
<img alt="Web Server - Display Name.png" class="image-3 jive-image" height="535" src="https://discourse.igniterealtime.org/uploads/default/original/2X/d/d327d32646ae454b4cea19bfea043b5780bed596.png" style="" width="414">
  1. Check “Allow key to be exported” at request handling (to be able to import the private key later in Openfire):
<img alt="Web Server - Request Handling.png" class="image-4 jive-image" height="535" src="https://discourse.igniterealtime.org/uploads/default/original/2X/3/39b7560b57a8e438fdeb0eaf1d967791f30dea4d.png" style="" width="414">
  1. CSPs are default:
<img alt="Web Server - CSPs.png" class="image-5 jive-image" height="348" src="https://discourse.igniterealtime.org/uploads/default/original/2X/a/a3db16d3ac1eee0af94c3e5c5d7182b566722ffb.png" style="" width="394">
  1. Allow “Everyone” to Read and Enroll (only for testing purposes):
<img alt="Web Server - Security.png" class="image-6 jive-image" height="535" src="https://discourse.igniterealtime.org/uploads/default/original/2X/a/a5cc094998500532c236fb424863f8af05448747.png" style="" width="414">
  1. Everything else is left by default.
  2. Create the XMPP certificate:
  3. Request new certificate (on the Openfire Server):
<img alt="New Certificate - Request.png" class="image-7 jive-image" height="238" src="https://discourse.igniterealtime.org/uploads/default/original/2X/6/60ff7733ffccf6f87f7f3511ecf5d784148eb387.png" style="" width="522">
  1. Select the newly created Web Server template (Web Server - RSA) and add some details:
<img alt="New Certificate - Select.png" class="image-8 jive-image" height="473" src="https://discourse.igniterealtime.org/uploads/default/original/2X/e/ee8b766480972fe7607daa1ab3db5ef13c10146a.png" style="" width="643">
  1. Add Subject Names:
<img alt="New Certificate - Subject.png" class="image-9 jive-image" height="515" src="https://discourse.igniterealtime.org/uploads/default/original/2X/d/dab8cdba176156ea2cfeef50e8e1255e779045a8.png" style="" width="516">
In this example i'm adding:
- CN = talk.example.local
- DNS = talk.example.local, *.talk.example.local (wildcard)
- Other name = OID 1.3.6.1.5.5.7.8.5 (xmppAddr), value 74 61 6c 6b 2e 65 78 61 6d 70 6c 65 2e 6c 6f 63 61 6c (talk.example.local converted to hex)
  1. Add a friendly name:
    New Certificate - General.png
    New Certificate - General.png516×515 6.72 KB
  2. That’s it. Then i click OK and Enroll, and the Certificate is ready to use.
    This certificate works fine (can connect to the server with SSL), however Openfire can’t read the xmppAddr attribute (it shows #74616c6b2e6578616d706c652e6c6f63616c as xmppAddr instead of talk.example.local).

The Subject Alternative Name has this info:

DNS Name=talk.example.local

DNS Name=*.talk.example.local

Other Name:

1.3.6.1.5.5.7.8.5=04 12 74 61 6c 6b 2e 65 78 61 6d 70 6c 65 2e 6c 6f 63 61 6c

The problem is the first byte in the xmppAddr attribute, which should be 0c instead of 04. The Windows OID encoding isn’t correct.

How could i correct this error in Windows? Do i need to add this custom OID to the Certificate Template? Or creating a XMPP certificate with Windows will never work?

As a workaround i used openssl (on Openfire) and certreq (on Windows CA) to create a proper XMPP certificate, but i would like to do this without using openssl.

2

I am interested by the solution as well, as i would like to use Windows Certification Authority.