Manual Server Installation for Jitsi Meet

The instructions to manually install a Jitsi Meet server have a section on configuring prosody . Towards the end of that section it has you generate certs for the domain:

prosodyctl cert generate jitsi.example.com
prosodyctl cert generate auth.jitsi.example.com

Is it necessary to generate a cert for auth.jitsi.example.com? It seems like just doing jitsi.example.com pulls in the auth subdomain.

# prosodyctl cert generate jitsi.example.com

Choose key size (2048):
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
......................+++++
e is 65537 (0x010001)
Key written to /var/db/prosody/jitsi.example.com.key
Please provide details to include in the certificate config file.
Leave the field empty to use the default value or '.' to exclude the field.
countryName (GB): US
localityName (The Internet): 
organizationName (Your Organisation): 
organizationalUnitName (XMPP Department): 
commonName (jitsi.example.com):
emailAddress (xmpp@jitsi.example.com):

Config written to /var/db/prosody/jitsi.example.com.cnf
Certificate written to /var/db/prosody/jitsi.example.com.crt
# cat /var/db/prosody/jitsi.example.com.cnf

[distinguished_name]
countryName = US
localityName = The Internet
organizationName = Your Organisation
organizationalUnitName = XMPP Department
commonName = jitsi.example.com
emailAddress = xmpp@jitsi.example.com

[req]
distinguished_name = distinguished_name
prompt = no
req_extensions = certrequest
x509_extensions = selfsigned

[subject_alternative_name]
otherName.0 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.auth.jitsi.example.com
otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.auth.jitsi.example.com
otherName.2 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:auth.jitsi.example.com
otherName.3 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.jitsi.example.com
otherName.4 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:jitsi.example.com
otherName.5 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.conference.jitsi.example.com
otherName.6 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:conference.jitsi.example.com
otherName.7 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.jitsi-videobridge.jitsi.example.com
otherName.8 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:jitsi-videobridge.jitsi.example.com
otherName.9 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.focus.jitsi.example.com
otherName.10 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:focus.jitsi.example.com
DNS.0 = auth.jitsi.example.com
DNS.1 = jitsi.example.com
DNS.2 = conference.jitsi.example.com
DNS.3 = jitsi-videobridge.jitsi.example.com
DNS.4 = focus.jitsi.example.com

[certrequest]
basicConstraints = CA:FALSE
subjectAltName = @subject_alternative_name
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

[selfsigned]
basicConstraints = CA:TRUE
subjectAltName = @subject_alternative_name
# openssl x509 -text < /var/db/prosody/jitsi.example.com.crt | grep DNS

othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, DNS:auth.jitsi.example.com, DNS:jitsi.example.com, DNS:conference.jitsi.example.com, DNS:jitsi-videobridge.jitsi.example.com, DNS:focus.jitsi.example.com

It is not. This is a virtualhost inside prosody and you don’t need a dns for that xmpp domain, in other words there are multiple internal to the system names. You only need certificate for the domain terminating the ssl, which is the webserver domain.

I think I understood. So to clarify… This command (according to the instructions) is unnecessary?

prosodyctl cert generate auth.jitsi.example.com

If so, should I make a PR to remove it from the docs?

Follow-up question.

Is it perfectly fine to leave the Prosody cert as self-signed and only obtain a signed certificate for the web server?