Certificate Signing Requests are not generated when issuer name matches xmpp domain. To reproduce this problem create new certificates and then complete the issuer information from the admin console. When entering the Name of the issuer use the XMPP domain of the server. Once saved you will go back to the certificates page but you won't be able to get the CSR information. Both ssl-signing-request.jsp and ssl-certificates.jsp have a line like this: // Self-signed certs are certs generated by Openfire whose IssueDN equals SubjectDN boolean isSelfSigned = c.getSubjectDN().equals(c.getIssuerDN()); The problem is subjectDN was modified for 3.4.2 to be like issuerDN to be accepted by some CAs. We now need to use another logic to find out whether a certificate is self-signed or not. Certificates created by Openfire will use CN=[domain] as the subjectDN and issuerDN. When a CSR is created both fields (subjectDN and issuerDN) are updated to include the meta data (O=,ST=, OU=,etc.).