SSL Domain Name Question


I have a question about the domain name / alias to put on the SSL cert for Wildfire.

Our JIDs use the “” domain, but the name of our server is What is the client looking for on the SSL cert?


  • Matt

Hey Matt,

So your server is located in and you are using as the Wildfire server name. That means that you should have a DNS SRV record for that points to Clients and servers that want to connect to your server will perform DNS lookups to resolve Once they found the hostname or IP address to use they will try to connect to that address.

From the XMPP perspective the server name is Therefore, local accounts will have the domain (as you said). Clients and other servers will only know about the domain (and only know about while opening a physical connection).

This means that Wildfire certificates MUST use the domain. Clients and remote servers will verify certificates and check them against In summary, is only used when opening a physical connection. For the rest of the operations is the correct domain.

Having said all that, many clients out there are not really validating certificates. Different clients do different validations (e.g. only check that certificate is not expired). However, this does not mean that server certificates should be incorrect. Certificates should be authenticated by a CA, have a valid date (i.e. not be expired), have a valid certificate chain, use the correct server name (eg. in the CN field and also in the subjectAltName field.

Hope that helps.


– Gato

Thanks, that’'s exactly what I needed to know.

The DNS changes have been made locally (I defined the _xmpp-client, _xmpp-server and _jabber service)… they should go live on the net tonight.

I appreciate the help!

  • Matt