The old method, using the certsrv.nsf database seemed fairly simple to use, I sort of understand the reasoning for not creating a new certsrv template (ok, i really DON’T understand it at all) - but the instructions provided, again, are terrible.
Thanks, Michael and Mark, for all the assistance! I’ve been thru the process, and have just installed my keyring on our Traveler server, and everything appears spectacular!
Tomorrow I will attempt our b2b web server - the current SHA-1 certificate won’t expire for another year, but I’ll get it upgraded to SHA-256 and will feel much better.
I can’t say enough how much I appreciate the assistance!
Subject: Thanks Mark (re: Additional OpenSSL Instructions) & FYI Dave
Mark,
Thanks for posting your process for generating the SHA-2 signed certificates using OpenSSL and KYRTOOL. My instructions https://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=ECCC40A836DA3C1885257D99004BF9B0 drop the path to the notes.ini since it’s already relative to the file’s location. So, instead of "kyrtool =“C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr” you can just use “=notes.ini” or “kyrtool =notes.ini create -k “C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr””. I found that any shortcut seemed to help me.
Dave: Mark’s quotation marks around the path reminded me of something. The posting uses “kyrtool =c:\lotus\notes\notes.ini create -k c:\lotus\notes\data\keyring.kyr -p password” for example. While this path works (due to no spaces), it would not work using the more standard “C:\Program Files (x86)\IBM\Lotus\Notes”. If no quotes are used, the user will receive an error. YI would just add quotes to yours so users just assume quotes are needed no matter.
One of the issues from the original Wiki was in Step 1 he used ‘server.key’, then in step 2 it was server02.key; I was pretty sure they should have been the same…
Are you setting environment variables for OpenSSL? I think that I had to add ‘set RANDFILE=.rnd’, but then later got another error, so added ‘set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg’.
Did you have to make any changes to the supplied openssl.cfg file?
And finally, did you just run everything from ‘C:\OpenSSL-Win32\bin’? Then copy out the files you needed?
Thanks for the direction! It looks like I was on the right track - but didn’t want to submit & pay for the certificate only to find out I had it all wrong!
Make sure your certificate chain has no SHA1 intermediate or root certificates. If so, it will work fine but the SSL test sites might ding you a few points.
I ended up contacting Thawte since they had two intermediate certs to use but one was SHA-1. They said I can leave that one out since it was only needed for obsolete browsers and to just use the SHA-2 intermediate. Seems to work fine.
Excellent, couldn’t agree more with that recommendation. Many CA still have root and intermediate bundles (or individual certificates in their repositories) that are only SHA-1 signed. I intentionally downloaded the G2 versions of the root and intermediate certificates (e.g. from Go Daddy) that has SHA-2 signatures. If not, your chain’s essentially not 100% SHA-2. Even with these SHA-2 inclusive certificates, it’s possible to still see SHA-1 for the Thumbprint Algorithm but the certificate is signed with SHA-2 and will pass tests (e.g. Google Chrome checks for SHA-1).
Trust me, I feel your frustration. I spent hours and hours working through this process. I boiled the process down into a few steps (see here http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=ECCC40A836DA3C1885257D99004BF9B0). Now, I can handle in < 5 minutes! I should send IBM a bill. Can you imagine the productivity loss around the world due to poor documentation re: SHA-2 and Domino (and TLS, for that matter)? Amazing. Hope this helps you. We are successfully running SHA-2 certificates (use link in posting to check SHA-2 status). I just added the exact OpenSSL commands to the linked posting (focus was more on KYRTOOL). I can create these in my sleep now!
***While the topic mentions Go Daddy (our CA), the instructions work for other CAs. The only real difference is file names of the root/intermediate certificates.
I successfully updated an existing GoDaddy SHA-1 cert to SHA-2 using the arcane “Generate a SHA-2 certificate using a 3rd party CA with OpenSSL and kyrtool” instructions. I also used OpenSSL for Windows. As others already noted, the instructions change “server.key” to “server02.key” incorrectly. Here are some notes I made for myself against various steps in the process:
Create a new keyring file
Use the path to Notes install. For me it was: C:\Program Files (x86)\IBM\Lotus\Notes>kyrtool =“C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr” -p xxxxxxxxxxxxx ← (this was the actual password)
Verify the input file:
I took the “server.key” file that was generated with OpenSSL in step 1 and opened it into a text editor. Then I took both of the certs supplied from GoDaddy (domain and root), opened them into the text editor, and then copied/pasted them into a single new file with the “server.key” first, the xxxdomainxxx.crt file second, and last the GoDaddy root certs. I then ran the given command from the instructions and got confirmation that it was okay.
5c. Import the keypair and self-signed certificate:
My command line looked like below because the “server.txt” file referred to in the instructions I named SHA2combined.txt and put it on the desktop. And the other paths point to the required directories. Yours will look different depending on what you named things: C:\Program Files (x86)\IBM\Lotus\Notes>kyrtool =“C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini” import all -k “C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr” -i “C:\Users\mgotts\Desktop\SHA2combined.txt”
What a PITA and unfriendly process. The resulting key works fine with HTTP, but it does not fix the problem with some inbound SMTP connections not being able to negotiate an agreeable TLS/SSL connection and failing to send mail (documented at length in another thread in this forum). Also, the Domino HTTP server, even with the latest patches and SHA-2 cert still does not test all that well against the Qualys SSL test (SSL Server Test (Powered by Qualys SSL Labs)). https://www.ssllabs.com/ssltest/index.html The test might be giving a false positive about POODLE because IBM says that even though the patched Domino server still supports SSL3 it isn’t actually vulnerable.
Using the IBM HTTP Server (IHS) provided in Domino 9 as a transparent proxy does a better job and tests better, but I can’t figure out how to get my new SHA-2 key into IHS. So I have a choice between a superior HTTP server using a SHA-1 cert or a less capable HTTP server (i.e. Domino) using the new SHA-2 cert.
The server02.key (instead of server.key) has certainly confused many people. With regards to OpenSSL environment variables, none were set. I just installed OpenSSL for Windows and ran all commands from the C:\OpenSSL-Win32\bin\ directory. BTW, I have now generated 48 SHA-2 signed SSL certificates (new and re-keys) today alone w/o any issues.
***Don’t be too concerned about making a mistake (re: initial CSR…). You can always re-key, just don’t revoke the purchased certificate.
