SSL Certificate Renewal- How To On Domino 7.x

HCL Domino Domino Forum
1

All,

After some MAJOR headaches, I was able to renew my SSL certificate. Not only did I run into the dreaded 2048 encryption strength (which the 7.x csrv50.ntf doesn’t support) but also the MD5 crap! (Most require SHA-1)

Unbelievable, right? Jeez. But have no fear. I have it figured out with a bunch of help from this article:

http://www-10.lotus.com/ldd/nd85forum.nsf/5049ee164c54799785256bff00519260/f077f707e7952afe8525789c007cc7e1?OpenDocument

The only difference in this article and what I actually did is to use a -sha1 switch on one of the openssl statements, and submit the CSR to Verisign. Other than that, the steps are pretty much the same. But here they are simplified. And I sure hope you have a Linux server :slight_smile: If not, I don’t have a good solution. Also, keep in mind. I am not a Linux admin at all and have no real experience with SSL. I am a programmer. So, some of the below terminology may not be correct.

  1. Login to your Linux server console.

  2. Issue this command: openssl genrsa -des3 -out serverName.key 2048 -sha1. Enter a passphrase

  3. OK. Now, you should have a serverName.key in your home directory.

  4. Now, issue this command: openssl req -new -key serverName.key -out serverName.csr. Enter the passphrase.

  5. Enter in your CSR information for renewal (ie. country, etc)

  6. Now, open up the serverName.csr file (In your home directory) and paste into Verisign’s CSR request (or other 3rd party, I guess…Assuming it will work the same)

  7. Get back your certificate, and create a serverName.crt file with the contents. Copy up to your home directory.

  8. Now, issue this command: openssl pkcs12 -export -in serverName.crt -inkey serverName.key -out serverName.p12. Enter the passphrase.

  9. Now, download this (from the article): ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip. I tried Windows 7 to no avail. But it worked on XP. I know. Yet another hoop.

  10. Extract file. Start a dos prompt. Change directory to extracted file directory.

  11. Run gskregmod.bat Add (make sure Add is proper)

  12. Now, type runikeyman.bat

  13. Open your serverName.kyr file from your server. (I would recommend copying it down first and backing up the good one) Enter your passphrase.

  14. Now, click ‘Export/Import’. Select ‘Import Key’ and browse to serverName.p12. Type in your passphrase

  15. Close ikeyMan, and copy the serverName.kyr and serverName.sth files backup to your server. This should do it!

** NOTE. No need to open Server Certificate Admin. The CSR you will generate is no good (because MD5) and if Domino 7.x, no 2048. You can, of course, download the Domino 8.x template, but it still encrypts using MD5 **

2

Subject: SSL Certificate Renewal- How To On Domino 7.x

As you posted, this is great if you have Linux, but for those of us who do not??? I know I can use 8.5 server certificate ntf to create 2048 and ues it on a 7 server, but as you said they now require SHA-1 and even 8.5 uses MD5. There has to be another way? Anyone???

3

Subject: RE: SSL Certificate Renewal- How To On Domino 7.x

GOOD NEWS!!!I found a copy of OpenSSL for Windows 7. It works great. I still however got the error on import into the KYR. I tried one more thing. I relized I had named the exported .p12 the same name of as the .kyr. When I imported the .p12 into the .kyr using gsk5-ikeyman it finally worked!!! I think it was not having the same name that made the difference.

4

Subject: SSL Certificate Renewal- How To On Domino 7.x

Hi …

I read through this with great interest, as I thought I’d have to go through this procedure on my Domino server on Windows. It turns out that my issue was caused by an IE9/10 bug on the VeriSign site that triggered the wrong encryption algorithm to be used in my certificate.

On my Domino 8.5.3 server, I was able to generate a Domino keyring that’s 2048 bit and yes, I generated a CSR that was using MD5 (because that’s the only option available). Even when you submit a CSR to Verisign that uses MD5, they issue you SHA-1 back. The certsrv.nsf database in Domino is supposed to be able to accept this. In my case, it didn’t - I got back a message “Certificate Signature Does Not Match Contents”.

So what happened? Verisign sent me my certificate signed with the SHA-2 algorithm. Why did this happen? It turns out that if you use IE9 or IE10 to request your certificate and submit your CSR, that the choice for “signature algorithm” at the bottom of Verisign’s CSR submission page, even though it may say SHA-1, will get submitted as SHA-2 unless you edit the choice and select SHA-1 yourself. Yes, in IE9 or IE10, you have to edit the signature algorithm and pick SHA-1 from the pulldown even though it says SHA-1 already.

Firefox doesn’t suffer from this affliction.

Hopefully this will help out others that get bit by this as well.

I was told by Verisgn that, for Domino 7 servers, as long as you can generate the 2048-bit key request (which you can do by editing the design of the CertAdminCreateKeyring form in certsrv.nsf to include 2048 as a choice), that even if MD5 is specified as the signature algorithm, that Verisign will issue SHA-1 back and the certsrv.nsf database should be able to import it just fine.

If you use Verisign’s CSR checker, for the moment, it warns you about using MD5 but it doesn’t prevent CSR submission with it. If that is going to change in the future, I don’t know.

Hope this helps.

–Mark