I did what stuartbain suggested on a brand new 3.3.2 install.
It all seemed to work, but I am still not sure what to do about DSA.
As rectorydp mentioned, getting the XMPP cert without sending your own CSR, you only get an RSA cert. Should I run an XMPP Federation signed RSA cert alongside a self-signed DSA cert ?
You can’'t use openssl command line to somehow make a DSA cert from your RSA cert, right ?
Another observation is that once I imported the signed RSA certificate without any errors, and told Openfire to make encryption mandatory on server 2 server traffic, no external servers connected to my server anymore.
Not even jabber.org, who no doubt trust the startcom CA and have it installed.
Edit: With the signed RSA cert installed, my SRV records up to scratch and s2s set to require encryption, s2s traffic with jabber.org.au and jabber.org fail. In the debug.log I find the following over and over, once for each connection attempt:
2007.07.28 20:34:57 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)
2007.07.28 20:34:57 OS - Plain connection to jabber.org:5269 successful
2007.07.28 20:34:57 OS - Indicating we want TLS to jabber.org
2007.07.28 20:34:57 OS - Negotiating TLS with jabber.org
2007.07.28 20:34:58 OS - TLS negotiation with jabber.org was successful
2007.07.28 20:34:58 OS - Error, no SASL mechanisms were offered by jabber.org
2007.07.28 20:34:58 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)
2007.07.28 20:34:58 OS - Plain connection to jabber.org:5269 successful
2007.07.28 20:34:58 OS - Indicating we want TLS to jabber.org
2007.07.28 20:34:58 OS - Negotiating TLS with jabber.org
2007.07.28 20:34:59 OS - TLS negotiation with jabber.org was successful
2007.07.28 20:34:59 OS - Error, no SASL mechanisms were offered by jabber.org
Message was edited by: centrex