4

StartSSL offers special XMPP certificates in addition to their "regular" web server certs. Can anyone tell me if XMPP certificates are special in any way? Isn't it possible to operate an ejabberd with a regular certificate? StartSSL was unfortunately unable to answer my question (they only claimed one needs an XMPP certificate for a Jabber server). :(

Cheers, Sebastian

1 Answers1

5

These are a little tricky to find out on the internet - hopping randomly through the "StartSSL" marked ones in this public directory, some were using self-signed certificates, and others were using the same certificates as on their HTTP services (not an "XMPP" cert).

Of the couple that I did find using these special XMPP certs, there were two differences that appear to be significant:

  • The Enhanced Key Usage didn't include Client Authentication (1.3.6.1.5.5.7.3.2), only Server Authentication (1.3.6.1.5.5.7.3.1).
  • Subject Alternative Names included XmppAddr (1.3.6.1.5.5.7.8.5) and SRVName (1.3.6.1.5.5.7.8.7) name(s).

Given that these certificates seem to be rarely used, it doesn't seem likely that having these extra alt names actually matters in many (or any?) XMPP implementations... but there you go, those are the differences.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Could one use an XMPP certificate as a web server certificate? – tofutim Oct 17 '14 at 19:39
  • @tofutim Yes, as long as the subject name (or an alternative name) is appropriate for the hostname you're trying to use it for. – Shane Madden Oct 17 '14 at 19:41
  • 1
    I know this is a old one but to add to what Shane answered, what the OP is calling an XMPP certificate is just a CLASS 2 (or above) certificate. Class 1 certificates aren't suitable for server-cliente autentication (are missing those two entries Shane mentions) while Class 2 and above do. While Shane is rihgt that one can use a self-signed or Class 1 certificate and it will work, do keep in mind that this could change in the future with server-server or even server-client communication not beeing allowed without at least Class 2 if the RFC gets more strict with this – 537mfb Dec 17 '14 at 10:23