I have an Openfire server with FQDN of the form “xmpp.xxyyzz.edu”. There are SRV records in place that supply this server name when a user connects as "firstname.lastname@example.org", the XMPP clients resolve this and connect to the correct server. We do not wish to have to have the clients manually set the server to “xmpp.xxyyzz.edu”. So far, so good. I have a SSL certificate in place for “xxyyzz.edu”, which is what the XMPP spec says I should use; it states that the SSL certificate negotiation should be done using the resource as speficied by the user (in this case “xxyyzz.edu” and not the actual server name “xmpp.xxyyzz.edu”). This seems to make most XMPP clients happy, except those that did put in the FQ server name. And, when I connect via SSL to the Openfire administrative interface it complains that the certificate is not valid (since it’s using the xxyyzz.edu cert). So, I install a second certificate for xmpp.xxyyzz.edu, but this does not seem to solve the problem.
My questions are: What is the correct FQDN that you want to purchase a SSL certificate for? How do you avoid SSL certificate errors for XMPP and HTTPS connections? Is there a way to use different certs depending on the hostname that the connection is made with?