Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by:

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates 
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: http://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: http://ibm.co/1SAYX5E
Fixcentral long: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:

1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: http://www.infoware.eu/?p=7226

 

0

Wildcard SSL certificate from P12/PFX file into Domino (SHA2 as well)

Posted by:

New article on this here
Just made a key file from scratch using a file exported from another webserver.
I am using iKeyman for Sametime/Connections and the tools provided by Domino all the time, but this is explicitly to describe the process of using already bought wildcard certificates used by other parts of your organisation and extending the use of them to also include Domino servers, instead of having to request a new wildcard certificate just for Domino and paying the certificate authority one more time. Of course you must follow the agreement made on how many servers you can use the certificate for, but still it gives you the option of not paying more than one time and include your Domino servers in the same package.

This article http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments and the comments as well as discussion on notesnet
http://www-10.lotus.com/ldd/nd8forum.nsf/Customer/59aad6f8ac81d8648525744900202ad1?OpenDocument provided me with information to start with.

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.

Because of the nature of this instruction a PDF file will be provided to use as a checklist. I highly recommend using this (screenshotsforblogP12)

Contents
1. What do I need
2. Import your P12/PFX file into your browser
3. Export root and any intermediate certificates to file
4. Run iKeyman to create new kyrfile and then Add and Import certificate information
5. Check your file and add sth file to enable it for Domino use
6. Implement the files on the server
7. Check out if it works
8. Conclusion

What do I need:
1. One instance of a 32 bit Windows operating system, I used 32 bit Windows XP running on my laptop with VMware 10. You can not use 64 bit Windows for this task.
2. GSK5 that you can download from http://www-01.ibm.com/support/docview.wss?uid=swg21615277&aid=1. This should be unzipped inside your XP virtual machine.
Source: http://www-01.ibm.com/support/docview.wss?uid=swg21615277
3. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it, more on this later on.

Import your P12/PFX file into your browser
This should contain private key as well as all certificates in the certification path if possible.
Open the file with Crypto Shell Extensions and Import into your browser, to import you need a password provided by the administrator that exported the file.
Examine the newly imported certificate in Internet Explorer under ContentCertificates..Personal
View the certificate and each certificate in the path and write down the labels to easily find them under Intermediate… and Trusted Root… later as well as using them inside iKeyman when labelling them.

Export root and any intermediate certificates to file
Find the different certificates under Intermediate Certification Authorities or Trusted Root Certification Authorities using the labels noted in the step above.
Export them to file.

Run iKeyman to create new kyrfile and then Add and Import certicate information
You must be Administrator on your machine to run this, make sure you are.
Go to the directory where you unzipped your files in a Command Prompt.
1. notepad readme.txt and read it
2. gskregmod.bat Add
3. runikeyman.bat
4. Create new keyring file
5. Add Signer Certificates from the earlier exported Trusted Root and any Intermediate in this order starting with the top meaning trusted Root first and then Intermediate.
6. Import Personal Certificates using the first provided P12/PFX file
7. View this key information to make sure that it is looking good.

Check your file and add sth file to enable it for Domino use
1. Copy the kyr file to your data directory on the notes client
2. Open or create the Server Certificate Admin application
3. View & Edit Key Rings
4. Select key Ring to Display and check that you can read it using the password set by you earlier.
5. Change Key Ring Password and follow the procedure
6. Check that you have received an sth file with the same name as the kyr file in your data directory
7. Check your certificate in Server Certificate Admin

Implement the files on the server
1. Copy both files to your servers data directory
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.
Domino can use the same wildcard certificates already used by others, you do not have to pay twice.
Use the checklist with screenshots included above to make sure that you understand the instructions.screenshotsforblogP12
I think IBM needs to either change Domino server SSL implementation to use the same files for this as the rest of IBM products, meaning same structure as eg. WebSphere Application Server or it must include support for Keyring files into the latest versions of GSK. Keeping instances of old operating systems for this task only could not be a good solution.
Also got this working with SHA2 and my internal Domino 9 server, but then I had to work with multiple GSK kits, but ended up with a valid kyr file. This is not documented here, but I could do it if it is still interesting after this Poodle issue. I guess not, because TLS is more important now.
OK here we go, Instead of creating a kyr file directly under Windows XP I first created a CMS – kbd file with the GSK kit provided by IBM HTTP servers, that I had on another server. Then I copied the kbd file into Windows XP and GKS kit version 5 and opened it there and saved as kyr file and then proceeded to:
1. Copy the kyr file to your data directory on the notes client

Link directly to this document: http://www.infoware.com/?p=1592

6