SHA-2 cert into both Domino and IHS?

Does anybody know how to get an SHA-2 certificate into both Domino and IBM HTTP Server? Preferably, is there a way to convert a Domino SHA-2 cert to the format needed for IHS?

I previously converted my Domino SHA-1 cert to IHS using the wonderful instructions from Darren Duke (Darren Duke Blog Zone) http://blog.darrenduke.net/darren/ddbz.nsf/dx/exporting-domino-ssl-keyfiles-to-another-format-for-use-with-ihs-.htm.

Later I updated the cert to SHA-2 and got it working in Domino. But to do that I had to issue new keys and revoke the old cert. Thus the cert I made using Darren’s instructions is now revoked.

I’d like to continue using IHS in front of Domino because it is more capable, supports more protocols, and allows disabling SSL 3. But I can’t figure out how to get my new cert from Domino into IHS. Darren’s method chokes on SHA-2 certs, so far as I can tell. And the IBM instructions for certs and IHS involves a new CSR (which would then revoke the one I have in Domino…).

My cert is with GoDaddy. I can download the new SHA-2 cert in a variety of formats, but none appear to be what the IHS IKEYMAN tool works with. So again, is there a documented way to convert my current SHA-2 cert from Domino to IHS?

Subject: Re. Try using “kyrtool show” to export the .kyr file to PEM format

Thanks Dave,

I was able to export both keys and certs from the Domino .kyr file, but I couldn’t figure out how to get the keys into the IBM Key Management tool (ikeyman.exe) that comes with IHS. I was able to get the certs imported successfully (they’re Go Daddy), but couldn’t figure out how to import the keys.

The way I attempted to import them was by simply copy/pasting the key/cert text into text files from the output of the “show keys” and “show certs” command. As I said, this worked for the Certs, but I was unable to import the keys after trying it a dozen different ways in ikeyman.

Ikeyman says it imports four different key file types: CMS (with a kdb extension), JKS (with a jks extension), JCEKS (with a jck extension), and PCKS12 (with a p12 extension). I tried importing the keys using each of these a couple of times in different ways, without success.

The CMS format import attempt errors with “Invalid KeyStore Format”. Others, such as the PCKS12 key type prompt for a password and then error with “An IO Exception has occurred. Insufficient data”.

Any insight as to how to use IBM’s supplied ikeyman to create valid SHA-2 keys for IHS, starting with the SHA-2 keys and certs exported from Domino as you described?

Subject: IBM HTTP Server uses the kdb database

From your original post, it looks like you were trying to follow Darren Duke’s instructions. That old version of ikeyman he references was is most likely obsolete, not being able to handle SHA-2.

You should follow these instructions (since you are using Windows) to get the correct Domino ikeyman installed:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool

And then start with step three from these instructions (you appear to have already created your own private keys and obtained the third-party certificate so skip the first two steps):

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

You should then be following these instructions to set up IHS, which will use the same kdb file as Domino:

http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/inst_configuring_the_ibm_http_server_to_reside_on_the_same_computer_as_the_domino_http_server_t.dita http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/inst_configuring_the_ibm_http_server_to_reside_on_the_same_computer_as_the_domino_http_server_t.dita

Subject: Re. I think openssl will get the job done for you

Thanks, Ben, I’ll check that out tomorrow.

Subject: Try using “kyrtool show” to export the .kyr file to PEM format

“kyrtool show keys” will print out the PEM-formatted RSA private key
“kyrtool show certs” will print out the PEM-formatted server certificate chain.

PEM is a standard format, so you should be able to re-import those keys into practically any other tool or format desired.

Subject: Redirect to file

Redirect kyrtool output to textfile, e.g. kyrtool show keys > mykey.txt

Subject: How?

This may be a dumb question, but if it will print them on a DOS window how can I get them into their own PEM formatted files? It’s useless on the screen.

Subject: Re. IBM HTTP Server uses the kdb database

Ben, thanks for responding. However, I’m not talking about the Darren Duke procedure with the special version of ikeyman. I’m quite familiar with that procedure and used it successfully many weeks ago to make an SHA-1 cert for IHS.

Since that time I created a functioning SHA-2 cert for Domino using OpenSSL and kyrtool using the IBM procedure. I did it not only because it’s a good idea but because I’m working with IBM on a PMR for issues with TLS over SMTP.

Naturally, the SHA-2 cert in Domino also applies to HTTP when using Domino as a HTTP server. However, I’d prefer to continue using IHS because it is more capable, supports more versions of TLS, and offers the ability to completely disable SSL v3 (for HTTP only, of course).

Currently I’ve had to fall back to using Domino for HTTP and turn off IHS because I can’t get the SHA-2 cert from Domino into IHS.

I am using the version of ikeyman as supplied with IHS from IBM to try to make the SHA-2 key. I need Domino and IHS to have the same keys/certs (obviously in their own respective formats, but the same keys/certs). Ironically, the version of ikeyman Darren uses in his blog post will import KYR key files from Domino (but won’t handle SHA-2) whereas the version if ikeyman in IHS (needed for SHA-2) will not import KYR files from Domino. What a pain.

I’ve already tried, unsuccessfully, to import the key information given to me from GoDaddy – which was used successfully to make SHA-2 certs/keys for Domino – using the ikeyman supplied with IHS. I’ve also tried, using the kyrtool commands Dave Kern described here to export the existing SHA-2 keys from the Domino KYR file and then try to import them using ikeyman from IHS. No success there either.

To summarize:

• I’ve got SHA-2 working in Domino via OpenSSL and kyrtool
• I’ve already got the latest, greatest Domino and IHS installed and know how to enable/disable IHS. I had IHS running earlier with an SHA-1 cert.
• Now I need to use the same SHA-2 cert/key info that is running in Domino, but I need it over in the format used by IHS.
• ikeyman supplied with IHS won’t import keys from the KYR file in Domino, nor have I yet to figure out some middle-man process to convert Domino KYR key info into a format that ikeyman will import. This is the crux of the problem.
• The procedures you cited for making SHA-2 certs with ikeyman involves a new CSR and retrieving that, NOT importing existing keys from a KYR or some other keystore as a middleman. I can’t go the CSR route in ikeyman because 1) it will require I buy new certs when I already have them, 2) it will invalidate my existing and functioning Domino SHA-2 keys, and then I’ll have the equal but opposite problem of not being able to get the SHA-2 certs/keys from IHS over into Domino.
• I can’t just download and import the cert/key info I’m using for Domino from the certifier (GoDaddy) using ikeyman because it does not appear to recognize any format supplied by GoDaddy. The import fails, and I’ve tried it dozens of ways.

So I’m back to my original question: How do I get the functioning SHA-2 cert/key info from a Domino KYR file over into IHS using ikeyman supplied with IHS? Or, how can it be done by any process? I’m open to ideas.

Subject: I think openssl will get the job done for you

I see, I apologize for misunderstanding your scenario before.

1. Gather the private key you created with openssl and the certificate provided by GoDaddy. If you don’t have the private key, get them by following Dave Kern’s instructions in his reply to you on 12/2 <>. You will be able to get the key and certificate out of your KYR that Domino is using, if you don’t have them any other way (i.e. they got inadvertantly deleted).

2. Next, use openssl to export your GoDaddy Cert and private key to a new file, server.p12 where server.key is the private key you created with openssl and server.crt is the certificate GoDaddy provided you with:
   openssl pkcs12 -clcerts -export -inkey server.key -in server.crt -out server.p12 -descert

3. Enter an export password and confirmation. You will use this password to import server.p12 into ikeyman.

4. Create a key file.
   a. Start the IHS iKeyman user interface.
   b. Click Key Database File in the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.
   c. Enter a name for the new key file. For example, server.kdb. Click OK.
   d. Enter a password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file and then click OK.

5. In the Key Database Content window, select Signer Certificates from the drop down menu.

6. Click Add and browse to any and all Root and/or Intermediate certificates GoDaddy gave you. (Do not add your leaf certificate here.)

7. Switch contexts from Signer Certificates to Personal Certificates and click Import.

8. Change Key file type to PKCS12.

9. Browse to the file you exported in step 2 (i.e. server.p12)

10. Type in the password you provided in step 3.

11. Click OK to accept the certificate into your key database.

12. Exit ikeyman.

13. You now have a keyfile and password stash file in the directory you specified in step 4 (i.e. server.kdb and server.sth).

14. You can now use these files in your IHS configuration as outlined in Configuring the IBM HTTP server to reside on the same computer as the Domino HTTP server http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/inst_configuring_the_ibm_http_server_to_reside_on_the_same_computer_as_the_domino_http_server_t.dita.

Subject: Update Re. I think openssl will get the job done for you

Last Friday (12/5) I went through the steps to convert the Domino key into an IHS key, without success. The process didn’t produce any failures or errors, and the server.kbd and server.sth files were created successfully. But when applied to the IHS server no secure connections could be made. Secure browser connections fail with “no compatible ciphers” type errors (not the exact phrase). And the IHS error.log fills up with this over and over for each attempt:

[Fri Dec 05 12:54:38 2014] [warn] [client 64.41.200.102] [f5e008] [6692] SSL0222W: SSL Handshake Failed, No ciphers specified. [64.41.200.102:50323 → 192.168.1.56:443] [12:54:38.000154554] 0ms

[Fri Dec 05 12:54:38 2014] [warn] [client 64.41.200.102] [f5e008] [6692] SSL0222W: SSL Handshake Failed, No ciphers specified. [64.41.200.102:50329 → 192.168.1.56:443] [12:54:38.000431827] 0ms

[Fri Dec 05 12:54:38 2014] [error] [client 64.41.200.102] [f5e008] [6692] SSL0223E: SSL Handshake Failed, No certificate. [64.41.200.102:50337 → 192.168.1.56:443] [12:54:38.000704409] 0ms

[Fri Dec 05 12:54:38 2014] [error] [client 64.41.200.102] [f5e008] [6692] SSL0223E: SSL Handshake Failed, No certificate. [64.41.200.102:50346 → 192.168.1.56:443] [12:54:38.000992239] 0ms

With no other differences than the new SSL certs/keys, the IHS server worked with older SHA-1 certs/keys a week ago. And it tested successfully at that time using the Qualys online SSL test.

Not sure where the flaw lies, and it is easily something I’m doing wrong in the key creation process. I tried it several times, but got the same problem (and identical looking keys) each time.

For now, I’ve reverted back to using the Domino HTTP server which, although less capable and a bit archaic, works with my SHA-2 certs/keys.

I very much appreciate Ben’s step-by-step recipe, and I’m not sure where the flaw lies in my trying to implement it. However, the REAL problem is the lack of a decent integrated interface in Domino to fully manage/create all the current certs/keys/SSL (including those of IHS, since it is a supported option). The reliance on multiple, arcane command-line tools and procedures feels like potion recipes from a book of magic.

I may have to put in some hours of research to become more knowledgeable about the whole SSL thing to get this working, but for a small shop like ours it is a bit of a waste for something I’m going to do (and forget…) once every 2-3 years. I just need it to work and test securely, and move on.