Your problem is benign and completely orthogonal to the one I reported above. Openfire always reports a missing certificate and wants to generate a DSA certificate (in addition to the RSA one). However, if you simply ignore the warning, it's perfectly fine and encryption will work as expected. The missing DSA certificate warning has been in Openfire at least since 2007 and it has never been a real issue.
In my case, the certificate cannot be imported at all, i.e., it cannot be seen anywhere on the list of certificates, and encryption does not work at all, which implies that connections with mandatory encryption are not established at all. If you have a certificate for something.domain.com and domain.com and your JIDs have the form of user@something.domain.com, it will work perfectly fine, just as it worked for me up to now. The problem only gets exposed when your certificate is valid for something.domain.com, domain.comandsomethingelse.domain.com. In such case, even though your Jabber domain is something.domain.com, Openfire will neither import your certificate, nor show it on the certificate list after you import it manually, because of a bug affecting the resolution of altsubject names in certificates. Certificates with one 3rd level domain work, but ones with two 3rd level domains are not recognized, despite the fact that one of the domains corresponds to the server name / Jabber domain.