You need a certificate for the domain you are going to serve of course. You can get one with ACME DNS challenges pretty easily (I have my clients set up a CNAME for the _acme-challenge subdomain of their domain).

▲ yosamino 2 hours ago | parent [-]

I worded that poorly.

Yes, that is of course correct. But that means that your clients have to trust you without technical safeguards, that you will not use this to get for certificates for purposes other than XMPP.

Which, in my mind, is a problem if the domain is not used just for XMPP, but lets say for a website as well.

	▲	Joe_Cool an hour ago \| parent [-]
		You should be able to do that via DNS SRV entries. `_xmpp-client._tcp.domain.tld. TTL IN SRV priority weight port target _xmpps-client._tcp.domain.tld. TTL IN SRV priority weight port target example: _xmpp-client._tcp.not-my-domain.com. 3599 IN SRV 5 0 5222 jabber.my-domain.com.` You could also build a reverse proxy setup. Then you wouldn't need the keys to the SSL certs. But that is probably overkill to run at your client: https://wiki.xmpp.org/web/Tech_pages/XEP-0368 I don't think I have seen a client complain about the cert being for jabber.my-domain.com Which one is giving trouble there? source: https://datatracker.ietf.org/doc/html/rfc6120 https://wiki.xmpp.org/web/SRV_Records