Domino ssl cert renewal nightmare

HCL Domino Domino Forum
,
1

Hi

For years I have a Traveler Server running using ssl. The certificate expired a day ago and I got a new one from my external CA. All that needs to be done is to merge the new crt file into the existing keyfile.kyr - so I thought ...

The old database that worked fine before certsrv.nsf does not work anymore under Domino 11 and gives me a weird "Error in Loading dll" message.

Ok - so I tried the kyrtool.exe to accomplish this task - this does not work at all for me. Is it supposed to be executed on the server cmd window - pointing to Notes or Domino notes.ini file??? The tool executes - no error messages but does not do the task.

The documentation leaves much to be desired and the tool is 1980th style usable. Who enjoys mile long command line strings?

Anyway, how can I import the newly received crt file for this machine into the existing keyfile.kyr that still has the expired cert in it? - Worked fine last year when updating the cert.

Are there alternatives to do this? - right now I am frustrated that such a simple thing causes so much grief.

Would appreciated any pointers.

Mike

2

Hello Mike,

Sorry for the inconvenience caused.

Using certsrv database for SSL on the Domo server is not supported. This change was introduced in Domino 9.0.1.x and above to use OpenSSL and Kyrtool. Basically the change was to support SHA-2 algorithm and TLS support to fix security vulnerability issues.

You can follow the document on Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Please Note: If the CSR and server.key (private key) was generated by your CA vendor then you need to get the server.key from them along with the server certificate, intermediate certificates and root certificate.

To be precise, You can follow below steps.

1) Place all the certificate related files (server.key, server.crt, intermed.crt, root.crt) in one folder. Example folder name "cert" in d drive d:\cert.

Note: In some cases there could be two intermediate certificates like (server.key, server.crt, intermed1.crt, intermed2.crt and root.crt)

2) Open a command prompt and switch to the path "cert" on the d drive.

3) Concatenate all these files to one single file using the type command from the Windows command prompt.

>type server.key server.crt intermed.crt root.crt > server.txt

4) We have one single server.txt file in the "cert" directory on the d drive to be used in the kyrtool to merge the certificates.

5) Now, create a new keyfile using the kyrtool. This is a command line and can be done from the Domino V11 program directory using Windows command prompt.

Note: You can always keep backup of the existing keyfile from the Domino data directory.

C:\HCL\Domino>kyrtool.exe =c:\HCL\Domino\notes.ini create -k c:\HCL\Domino\data\keyfile.kyr -p password

6) Merging the required certificate in the keyfile.kyr using the below command.

C:\HCL\Domino>kyrtool.exe =c:\HCL\Domino\notes.ini import all -k c:\HCL\Domino\data\keyfile.kyr -i d:\cert\server.txt

7) Final steps is to verify the certificates in the keyfile by issuing the below command. This will show success if all is ok else it will give an error message.

C:\HCL\Domino>kyrtool =c:\HCL\Domino\notes.ini show certs -k c:\HCL\Domino\data\keyfile.kyr

8) Now Domino data directory has these two files "keyfile.kyr and keyfile.sth" to be used for the server SSL. If the existing name of the keyfile.kyr is different in the server document or the internet site document then, please rename these two files accordingly.

To match with the previous .kyr file you can either check server/internet site document in the Domino directory (names.nsf) example as shown below.

Final step is to restart the HTTP task on the Domino server by using the below command.

Tell http quit

Load http

Thank you.

Regards

Shrikant J

3

Hi Shrikant

Thank you for your reply. It is working now and the cell phones are coming online ...

I had to create a new server.key and csr and rekey the cert. Then I followed your instructions and it worked fine. Apparently when a cert is automatically renewed without a new csr something is missing. I wanted to shortcut and just add the new cert to the existing kefile.kyr - most likely wrong idea.

Your instructions did work fine. One little comment - just to help somebody else maybe - if your Domino is an old upgraded install it is most likely in something like c:\Program Files\IBM\Domino etc. - in this case one has to use high commas around every path with a blank or the kyrtool will give an error message ...

It would be nice to have a simple graphical tool again to facilitate certs in the future.

Thanks again.

Mike

4

Hi Mike,

Thank you for your update and good to know the steps were useful and helped to setup SSL.

I am Sorry, I missed the upgrade path from old IBM Domino path that will remain same when you upgrade it to V11.

Your feedback is noted. That is when the Domino server has been upgraded from previous release of IBM Domino, the path will remain the same and we need to use the same path for the kyrtool and keyfile path.

Example. C:\IBM\Domino (Program directory) & C:\IBM\Domino\data (Data directory)

OR C:\Program files\IBM\Domino (Program directory) & C:\Program files\IBM\Domino\data (Data directory)

As far as simple graphical tool for SSL certificate management using a database is considered it is already planned in Domino V12. Using V12 release you can manage certificate using a database. Please refer the below for V12 beta release product documentation.

https://help.hcl-software.com/domino/earlyaccess/wn_security.html

Automating certificate management
HCL Domino® 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to automate generation of TLS certificates from the Let's Encrypt® certificate authority (CA) or another third-party CA.

I hope this new V12 feature will definitely fulfill requirement.

Thank you

Regards

Shrikant J

5

Don’t use NSF to work with ssl certs - it is no longer working.
You can place cert files in c:\temp and run kyrtool while your command prompt is in Domino Program directory (since this directory contans a notes.ini, you can skip “=c:...\notes.ini” option in command line).
There will be new easy way to manage ssl certs without kyrtool in Domino v12 which is planned this year

6

Thank you Aleksandr - got it working now.

Looking forward to a new easier way to manage these cert beasts ...

7

Hi.

Yes, Domino 12.0 introduced a great new way to handle certificates, and it was enhanced in Domino 12.0.1

You may check it here:

Managing TLS certificates with Certificate Manager (hcltechsw.com)

You could also find additional info on these other posts:

HCL Notes/Domino - How to use CertMgr to import an already existent certificate signed by a Third-party CA? - Community (hcltechsw.com)

HCL Notes/Domino - CertMgr: How to request ACME/Let's Encrypt certificate when listening port other than 80 (like 8080) - Community (hcltechsw.com)

HCL Notes/Domino - How to use CertMgr to import a wildcard certificate generated from a third party source and signed by a third party CA? - Community (hcltechsw.com)

Hope this helps.

Sincerely,

Elvis.