I have two domains

cms01-admin.afghan.swa.army.mil

cms01-a.afghan.swa.army.mil 

The key and crt for the webadmin is one and the xmpp is cms01-a 

The IP for webadmin is .XX1  and the IP for int a is .XX2 

I don't use a bundle CA. 

The CA key and .pem public cert is used.

Please disregard everything above and go with this ... here is what I have done with my x-series server.

1.  I have two A records created

Admin INT:   10.10.10.5 = cms01-admin.example.com

A INT: 10.10.10.6 = cms01-a.example.com

2. SRV records:

_xmpp-client._tcp.vtc.example.com  = cms01-a.example.com

_xmpp-server._.vtc.exampl.com = cms01-a.example.com

join1.example.com  "CNAME"

So I created a self signed cert for the webadmin  =  cms01-admin.example.com

.key and .crt

I created a CSR for the cms01-a.example.com  and got a public CA  with file name .pem

Put that one on the XMPP and Call Bridge and Web Bridge. 

any recomendations ??? 

Patrick,

I think I have confused myself.  

OK CMS has WEBADMIN, XMPP, CALLBRIDGE, WEBBRIDGE, and Recording. 

CA Certs.  

Can I use the same CA Certs for all functions i.e.   and create the CSR to get the public cert.

.key

.crt

.pem

Example:

CN: cms01-a.afghan.swa.army.mil  

Can I use the same .key  .crt and .pem for all services ??? 

You can use the same certificate, and I have done so myself using a wildcard certificate.  There is a note about it in the certificate creation guide regarding using the same certificate across multiple components:

If you plan to use the same certificate across multiple components, for example the Web Bridge, XMPP Server, Call Bridge and TURN server, then specify your domain name (DN) in the CN field, and in the SAN field specify your domain name (DN) and the FQDN for each of the components that will use the certificate.

Regarding the XMPP authentication -

As you have vtc.example.com configured for you XMPP SRV records.  Were you able to verify that this domain is configured as your XMPP domain, and that it's entered correct in Web Admin?

Did you verify that you have the correct shared secret entered in Web Admin for the Call Bridge that is added to your XMPP server?  Use xmpp callbridge list to see the Call Bridges that are added to the XMPP server.

Thank you..

Where do I set the shared secret ??  Don't see that anywhere ...

Where do I set the xmpp domain in the web admin ???   I am confused ... How about some real examples please ...

I am using only one x-series server ... 

I didn't add a SAN entry so that might be my issue. 

I also not sure how to set up the bundle CA ..

Thanks again for the help and patience .

Check to see if you already have a Call Bridge added to the XMPP server.  If a Call Bridge is already added, take a note of the name and it's secret.

xmpp callbridge list

If you don't, add your call bridge.  Once added, just as before, take a note of the name and it's secret.

xmpp callbridge add <unique Call Bridge name>

Check configured XMPP domain, and take a note what is it.

xmpp status

Configure Call Bridge to use XMPP server via Web Admin under Configuration > General > XMPP server settings.  Use the Call Bridge name, secret and domain you've gathered previously.

The CMS Certificate Guidelines Deployment Guide has steps on how to configure a Budnle CA, snippet from guide:

You can create a certificate bundle by using a plain text editor such as notepad. All of the characters including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between -----END CERTIFICATE----- of certificate 1 and -----BEGIN CERTIFICATE----- of certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.