Create CSR using new private key

HCL Domino Domino Forum
1

Please complete the details below then remove this line:

Domino/Notes Version: 12.0.2FP2

Problem/Query: I need to renew our TLS cert, and I’m not yet comfortable with the process.
On our internal PKi cert request form, where the CSR is supposed to be pasted, there is a label that says " Private key reuse is not allowed. All CSRs must be generated from new private keys."
Does this mean that the CSR that’s currently in certstore needs to be recreated? How is that done? Please forgive me, I am a developer first, not an admin.

2

Hello,

Thank you for reporting your query at HCL Domino Forums.

Are you using TLS using third party Certificate Authority or is it a self-signed one?

You mentioned about certificate store so I believe you use certstore.nsf for TLS. You may create a new CSR and can request certificates and use that in certificate store database.

For more details, you can refer recording at below webinar on certificate store.

Webinar - Tips to efficiently manage and maintain certificate store in HCL Domino 12.0.x and above

Thanks and Regards
Niraj V Jani

3

Hi.
May I ask where are you reading that?

Anyway, no, there is no need to create one.
We have renewed certs without needing to update PK.
Please be advised that, from some security point of view, you may need to renew PK.

But, on Domino, it is not mandatory.

Hope this helps.

Best,

Elvis

4

Thanks for the reply Elvis. This is my company that is mandating this, I understand it’s not required by Domino.

5

Thank you Niraj, I will try the procedure. Sorry for the delay in my reply.

6

Hi

Hope you are doing well.

Please find the following HCL support links for detailed procedure of creating CSR and importing certificate by using Certstore.nsf.

Please follow the procedure given in above links.

I hope the above information will help in answering your concerns.

Thanks & Regards
Nishant Shendre

7

I guess I messed it up. It took some time to get a new cert. Here are the steps I took:

  1. Since our certificate request process says " Private key reuse is not allowed. All CSRs must be generated from new private keys. " I assumed that I needed to create a new TLS Creddentials doc using the "Add TLS Credentials button.
  2. I filled out the info, then submitted it. That created a new CSR.
  3. I opened our cert request form and used the new CSR.
  4. It also asked for the serial number. I used the one for the current (expiring) cert.
  5. I submitted the request, but only received the cert today.
  6. I pasted the full cert chain and submitted the TLS Credentials doc.
  7. The status has changed to “Issued” and “Valid”, and the icon is green. The expiration date is correct.
  8. The old (expiring) TLS doc is now in “Waiting” status. I tried setting it to “Archived” but it reset back to “Waiting”
  9. I restarted http task.
  10. I tested a page on that server, but it is still using the old cert.

So what did I miss?

8

I set the previous TLS doc for the server to “Archived” then saved it rather than submitted it. I can now access the page using the new key. With that said, I’m sure I did this completely wrong, and I don’t have much faith that it will “stick”. I don’t want to risk updaing our prod servers this way. Mainly I’m not sure how I’m supposed to generate a new key in order to create the CSR without creating a whole new TLS Credentials doc. That can’t be right.