How to create XMPP certificate with Windows CA?

I'm trying to create a "proper" XMPP certificate for my Openfire server using the Windows Certification Authority in the domain (Windows 2008 R2), but can't figure out, how to do this.

Openfire server can generate self-signed certifcates (DSA + RSA), which include xmppAddr as Subject Alternative Name.

I found these sites explaining XMPP certificates:

https://roll.urown.net/ca/x509.html

https://blog.hamzahkhan.com/2012/11/09/ssl-certificates-for-xmpp

XMPP Server Certificates - XMPP WIKI

Basically i need to add OID 1.3.6.1.5.5.7.8.5 to the certificate (this is the OID for xmppAddr).

This is the method i tried to create a CA signed XMPP certificate, which would include the xmppAddr attribute:

1. Create a new Web Server certificate template.
   1. Duplicate the built-in Web Server template:
      
      
   2. Select Windows Server 2003 as minimum supported CA:
      
      
   3. Set the template name and change the validity period:
      
      
   4. Check "Allow key to be exported" at request handling (to be able to import the private key later in Openfire):
      
      
   5. CSPs are default:
      
      
   6. Allow "Everyone" to Read and Enroll (only for testing purposes):
      
      
   7. Everything else is left by default.
2. Create the XMPP certificate:
   1. Request new certificate (on the Openfire Server):
      
      
   2. Select the newly created Web Server template (Web Server - RSA) and add some details:
      
      
   3. Add Subject Names:
      
      
      In this example i'm adding:
      • CN = talk.example.local
      • DNS = talk.example.local, *.talk.example.local (wildcard)
      • Other name = OID 1.3.6.1.5.5.7.8.5 (xmppAddr), value 74 61 6c 6b 2e 65 78 61 6d 70 6c 65 2e 6c 6f 63 61 6c (talk.example.local converted to hex)
   4. Add a friendly name:
      
   5. That's it. Then i click OK and Enroll, and the Certificate is ready to use.

This certificate works fine (can connect to the server with SSL), however Openfire can't read the xmppAddr attribute (it shows #74616c6b2e6578616d706c652e6c6f63616c as xmppAddr instead of talk.example.local).

The Subject Alternative Name has this info:

     DNS Name=talk.example.local

     DNS Name=*.talk.example.local

     Other Name:

          1.3.6.1.5.5.7.8.5=04 12 74 61 6c 6b 2e 65 78 61 6d 70 6c 65 2e 6c 6f 63 61 6c

The problem is the first byte in the xmppAddr attribute, which should be 0c instead of 04. The Windows OID encoding isn't correct.

How could i correct this error in Windows? Do i need to add this custom OID to the Certificate Template? Or creating a XMPP certificate with Windows will never work?

As a workaround i used openssl (on Openfire) and certreq (on Windows CA) to create a proper XMPP certificate, but i would like to do this without using openssl.