Do you procrastinate tasks that you hate? I am...

I had a long-waited task to install a legitimate wildcard SSL for my customer's Domino servers for internal access. More than ten servers and nobody achieved to teach people how to trust home-made SSL certificates...

I have worked with SSL certificates in the past and it's an headache. Because SSL shops think that all servers on the world are using IIS :)

First of all, some credits to friends in the yellowverse that helped me with their blogs...

- Ken Yee (got some help from Joe Walters) prepared a FAQ entry: "Does Domino Support Wildcard SSL Certificates?"
- John Roling (a.k.a. Greyhawk68) blogged: "Wildcard SSL on Lotus Domino"
- Gabriella Davis blogged: "Moving an IIS SSL certificate to a Domino Keyring File"

We did the usual stuff. Generated a CSR with "Server Certificate Admin" database and sent to GeoTrust to get a Wildcard SSL certificates. Then installed root and intermediate certificates into the keyring without any problem. However, when I tried installing certificate, I got an interesting error: "Certificate could not be read from file".

Google Gods gave me only two response about this problem, both dated back to 1999. First was resolved as a CSR problem and the other one was unresolved.

I tried everything, including regenerating CSR to receive a new certificate, check CSR-Certificate compatibility, changing language settings, using different machine/notes version/another database etc. I also debugged the merging code with Lotusscript. It fails at an external call to "_dmsecadm" library for viewing information inside the incoming certificate. There were no problem with the certificate or my keyring file.

I created my own Root certificate and signed a test CSR to check if all things working properly. At this point I noticed a difference between certificates.

Usual certificate created in Domino has an MD5-like signature algorithm whereas GeoTrust certificate has "sha1RSA". So I believe it may be the problem. PMR is still open about this issue and I'll update this post if it resolved.

UPDATE: PMR Result: Lotus Domino Server supports SHA-1 algorithm but Server Certificate Admin database only accept MD5. There is an enhancement request. So before buying SSL certificate, confirm that SSL shop supports MD5 signatures in certificates...

Finally, Gab's brilliant post gave me an idea. I found iKeyman with GSK5 (coming with the older versions of Websphere). It is the only version that supports keyring files. I opened my keyring file with iKeyman and installed the certificate. I tried the new keyring on the Domino server and it worked!

However, there are still problems. I cannot open this new keyring file on Server Certificate Admin database (it gives invalid keyring file error). I cannot change its password as well, because iKeyman does not support stash files in keyring files. I still don't know what will happen next year when we need to renew this certificate :)

I felt very good when I solved this problem. These are the moments I really enjoy what I'm doing...

Now, it's "Dear IBM" time.

I honestly don't get it. Why are we still dealing with keyring files? As long as I know, it's not being used by any other web servers on the market. I don't know much about certifications but I'd like to know if there is a clear advantage to use .kyr files for SSL configuration.

In addition, deploying key files is really difficult on Domino servers. A better solution would be created (like importing them into names.nsf).

Anyway, I created a couple of ideas on ideajam.net. Please vote them if you agree...

"Using more universal SSL certificate stores instead of keyring files"
"Using Domino Directory to deploy SSL keyring files"
Serdar Basegmez   |   August 18 2011 10:52:00 AM   |    Lotus Domino  Security  System Administration  Tips    |  
  |   Next   |   Previous

Comments (6)

Gravatar Image
Serdar Basegmez    http://lotusnotus.com/en    01/16/2014 7:25:14 PM

Great Mats! Thanks for sharing. I was planning to update this post to explicitly write every steps. I wish I had seen your page before because I had lots of trouble finding how to create a stash file.

Thanks for sharing, great post!

Gravatar Image
Mats Ekman    http://www.infoware.se    01/16/2014 7:21:03 PM

I did some documentation and a checklist on how to do this at my company blog.

Maybe that could help you out, here is the link:

{ Link }

Regards

Mats

Gravatar Image
Theo Aemmer       08/23/2011 10:23:35 PM

That's how I create a keyring.kyr which I can use on any server in the domain.

{ Link }

Gravatar Image
Serdar Basegmez    http://www.developi.com    08/19/2011 10:20:52 AM

@Lars, double backup, encrypted and put into the safe :)

@Andy, great! thank you. I were a bit lazy about what I did step by step :)

Gravatar Image
Andy Brunner    http://ABData.CH    08/18/2011 10:34:43 PM

I spent many, many hours solving the same problem you had. In my example, I bought an SSL wildcard certificate from StartCom (very inexpensive). But then I had to convert the PFX/P12 file as follows:

1) Convert the PFX/P12 private certificate

1.1) Import the PFX/P12 private certificate into Internet Explorer

1.2) Use the Internet Options to export the certificate with the private key, the parent CAs and low security

2) Create new Domino keyring file

2.1) Installs an old and free IBM HTTP Server (IHS) which includes the necessary iKeyMan tool (on a test machine)

-> { Link }

-> Select "Download Resources" to the right

Download Version 1.3.19.5 (exact version is important !)

2.2) Start the iKeyMan tool (IBM Key-Management)

2.2) Create a new keyring file (type .kyr), no expiration

2.3) Select "Personal Certificate" and import the PKCS12 file created in step 1.2

2.4) Exit the iKeyMan tool

3) Set the Domino keyring password (Stash-File)

3.1) Open any certsrv.nsf database

3.2) Open view "View and Edit Key Rings"

3.3) Use action "Change Key Ring Password". The old and the new passwords can be the equal.

4) Activate the Domino keyring file

4.1) Copy the keyring files .kyr and .sth to the Domino data directory

4.2) Configure the Domino server to use the keyfile for the Internet sites

I hope this helps someone else.

Andy

Gravatar Image
Lars Berntrop-Bos       08/18/2011 12:01:06 PM

Well done, Sir!

Made sure to dload stuff while still available and make backups of the info. Very useful!!