Create cross certificate with AD web service certificate

hcl-bot · April 15, 2015, 9:17am

Hi all

I do integrate Domino and AD, through the ADFS service to authenticate to the web services Domino. Use the document “SHOW100: AD + SAML + Kerberos + IBM Notes and Domino = SSO” and reached step “Creating SSL Cross Certs”.

Imported into the Domino server Internet certificate from ADFS host, but it is impossible to make cross certificate with the organization certifier Domino.
What I am doing wrong?

Get the message:

“A cross certificate will not be made due to key usage restrictions in the input certificate.”

Thanks.

hcl-bot · November 23, 2015, 7:18pm

Subject: Technote on SSL cross-certs

This technote Certificate details for an identity provider (IdP) configured for Notes federated login http://www-01.ibm.com/support/docview.wss?uid=swg21627799 gives the fix - you need to export the top level of the SSL certificate in ADFS 2102, not the server level.

hcl-bot · June 14, 2016, 3:42pm

Subject: Same error but with Windows 2012 R2 and self-signed

Hello everybody!

Please… could you help me ?

I am facing the same problem but with SELF-SIGNED certificate. When I try to run the cross certificate I got the same error below :

“A cross certificate will not be made due to key usage restrictions in the input certificate”

The difference of the environment is that I use Windows 2012 R2. So, it comes with ADFS version 3.0. But I am using SAML version 2.0 in order to get ADFS with Domino.

I have read many documents in the internet but I do not find a procedure exactly that I need for Windows 2012 R2. As far as I have read IIS (Internet Information Service) is not more necessary to configure the ADFS. And even IIS is NOT installed by default in the Windows 2012 R2.

I would like to know strongly what Daniel Nashed did to have success in order to configure ADFS on Windows 2012 R2. Because accordingly his blog “the configuration is very similar but you cannot use the cookbooks 1:1.”

Find his post → Daniel Nashed's Blog http://blog.nashcom.de/nashcomblog.nsf/dx/domino-federarted-web-login-saml-with-f5-and-adfs-3.0.htm

My environment:

Domino 9.0.1 64-bit with Fix Pack 6 running on SuSe Linux 12 64-bit;

Windows Server 2012 R2 with ADFS 3.0.

Any ideas or comments are welcome.

Thanks and Regards,

OdiLo

hcl-bot · September 26, 2016, 9:23am

Subject: Same error but with Windows 2012 R2 and self-signed

Hello Odilo,

have you solved this problem?

Thank you in advance.

Best regards,

Milan

hcl-bot · April 16, 2015, 8:21am

Subject: Review this doc

There’s a section about key usage requirements that might have been missed in your environment.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_ADFS_for_integrated_Windows_authentication_lprIWArpr_ http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_ADFS_for_integrated_Windows_authentication_lprIWArpr_

hcl-bot · November 22, 2015, 11:22pm

Subject: A cross certificate will not be made due to key usage restrictions in the input certificate

When attempting to cross certify the ADFS server SSL certificate in Domino, I get the same error message " A cross certificate will not be made due to key usage restrictions in the input certificate".

The exported key was made following the instructions in “SHOW100 : AD + SAML + Kerberos + IBM Notes and Domino = SSO!” from Connect2014.

The key is at the server level i.e. Issued to: adfs.myservername.com and Issued by is Geo Trust DV SSL CA-G4 - any clues?

Domino 9.0.1 FP4 and ADFS 2012 R2