SSL certificate for Domino with SHA-1 hash rather than flawed MD5?

hcl-bot · March 22, 2010, 3:20pm

Has anyone succeeded in creating a Domino server certficate request (CSR) with SHA-1 hashes instead of MD5? I’m trying to get a Domino CSR signed by a browser-recognised CA but they reject the request with the message

“A weakness in the MD5 cryptographic hash function allows the construction of different messages with the same MD5 hash. This is known as an MD5 “collision”. StartCom disallows the use of MD5 hash signatures for all end-user certificates. SHA1 or better should be used instead.”

I followed some suggestions on the Internet, including the most promising one from http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments

but the last bit fails probably because that version of ikeyman doesn’t support SHA-1. For some reason the latest version of ikeyman (included in Domino 8.5.1) doesn’t seem to support the Domino kyr key ring files.

Domino folks - anyone managed to get around this problem?

IBM - any plans to change the hash algorithm to something less depreciated?

hcl-bot · February 18, 2011, 1:46am

Subject: I have the same problem

Yes, Right, I have the sampe problem. When I create a CSR to the third CA, but they have the following error:

MD5 Signature Algorithm Detected

Your certificate request was created with a potentially weak signature algorithm.

For more information please see this FAQ item.

Please change the signature algorithm to SHA1 or better, create a new CSR and try it again!

Who can help us to find a solution?

Thanks a lot!

hcl-bot · May 26, 2011, 5:42pm

Subject: Workaround for startssl and Domino

Hi,

I don’t know if you still need it but here is my workaround to get a StartSSL free certificate in Domino.

I use OpenSSL on my Linux server to create a new certificat:

Here are the command I used to create a key and a csr file:

* openssl genrsa -des3 -out keyfile.key 2048

* openssl req -new -key keyfile.key -out request.csr (Answer the usual question)

Ask the certificate at startssl with the CSR file.

With your new cert file, you have to create a PKCS (.p12) key file using openssl:

* openssl pkcs12 -export -in cert.crt -inkey keyfile.key -out cert.p12

Create a new keyring (.kyr) file, using the certsrv.nsf database using the SAME information from the linux certificate.

Import the StartSSL Root certificate into the key ring file:

Get the "ca.pem" certificate and Merge it into your kyr file.

Get the "Sub Class 1" certificate and Merge it into your kyr file.

Now the tricky part…

To import the .p12 file into a Domino keyring, you need GSK5-iKeyMan. I used the one linked on the “Turtle Partnership Blog” from the first post: (ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip)

(This tool might not work in Windows Vista and newer OS, it’s working in 2003)

Extract the gsk5-ikeyman.zip file into a directory that has no spaces in the name

Start the command line shell (cmd), change directory to the directory where you extracted gsk5.

Execute the following command: gskregmod.bat Add

Run IKeyman by executing: runikeyman.bat

Open the keyfile.kyr file that we created earlier and enter the keyring password.

Select Personal certificates and click Import

Select the certificate file (.p12) and enter the certificate's password.

Shutdown IKeyman and copy the keyfile.kyr and matching keyfile.sth to your Domino server's data directory.

Configure your Domino server to use this keyring file and restart the http task (or restart domino).

*** Weird thing… When I tried to Import my “www.mydomain.com” PKCS key into my keyring, I got a bad p12 certificat error from gsk5. Everything went well with my 3 other “test” keyring. To test my keyring, I imported my “test.p12” file into my “www” keyring and it worked. I then retry to import my “www.p12” into the keyring and it was now ok. I removed the “test” certificate from the keyring. I noticed that my “www.crt” was not the same size as my test.crt file… maybe something is missing in the www one!!!

(I hope I’m clear enough

With this procedure, I can even import any of my existing certificates into a keyring.

Have a nice free SSL testing!!!

Pat

hcl-bot · May 11, 2012, 7:37am

Subject: Signed certificate import error

I get an error while trying to import certificate using ikeyman:

An error occured while importing keys from the PKCS12 format file.

It seems that this old ikeyman version can import up to 1024bit certificates, and newer ikeyman versions can import higher bit certificates but do not support .kyr files.

What is the solution then?

hcl-bot · May 19, 2012, 12:39pm

Subject: Import Ok for me in 2048bit

Hello,

Everything is ok for me with 2048 certificat with the iKeyman version from my previous post!

Be sure to check date/time of the system where you run iKeyman.
If you are using my workaround in linux, when you convert to p12, do not forget to enter an export password.
Be sure to run iKeyman on a WinXP/2003.

I just renew my certificat and everything is still working fine for me.

Pat

hcl-bot · October 20, 2012, 2:43pm

Subject: Workaround for startssl

I, too, had a problem with importing the .p12 into iKeyMan.

My resolution was to use the “Create PKCS#12 (PFX) File” function provided from startssl.com ; Unfortunately, that only works if you used startssl.com The output file imported into iKeyman with no issue.