 |  | | Apr 21, 2021
(updated Aug 7, 2021)
By Lance Zakin, HCL CASA, CAAD
Notes and Domino
NotesMail - HCL BP | This article provides instructions how to configure a SSL certificate on websites running on a Domino 12/11/10/9 web server. SSL certificates can be used with Domino to protect one website (standard protection), protect multiple websites (UCC/SAN SSL) or protect all subdomains (Wildcard SSL). In early 2015, web browsers such as Google Chrome stopped honoring SHA-1-dependent TLS certificates due to security concerns. | |
|
And SSL providers started only offering SHA-2 certificates. The Domino Server Certificate Admin database does not allow importing SHA-2 certificates. Because of this limitation, OpenSSL and KYRTool are now used for generating the keyfile with a SSL Provider (CA) SHA-2 certificate. Note: Domino 12 includes a new native feature called Certificate Manager, a server task (CertMgr), which can optionally be used instead of steps below for easier SSL maintenance. The Certificate Store DB (certstore.nsf) has replaced the legacy Domino Server Certificate Admin DB (certsrv.nsf). The new ACME feature allows free SSL certifcates and automated certificate renewals with Let's Encrypt SSL provider. The web page you are reading is using this free and automated SSL renewal feature with a TLS certificate and ECDSA (NIST P-384 curve name) encryption which is the newer and equal if not better than RSA (4096 key size) encryption. And web pages using ECDSA (NIST P-384) load faster when compared to RSA (4096).
1. Download and install Win64 OpenSSL Light. Note: The instructions below have been tested with Win64 OpenSSL v1.1.1k Light.
2. Download and install 32-bit KYRTool for Windows from a download site below:
A. Copy the kyrtool.exe file to your Notes program folder on a Windows desktop. Note: Since Domino 10 this program is included in the server program folder.
Skip to step 7 if you already generated a certificate signing request (CSR) via a 3rd party web server (i.e. Apache, IIS) and acquired an SSL/TLS certificate from a SSL provider (CA). i.e. GoDaddy
3. Generate RSA private key using OpenSSL. Start "Win64 OpenSSL Command Prompt".
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
4. Generate a certificate signing request (CSR) using OpenSSL. Start "Win64 OpenSSL Command Prompt".
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
5. Acquire an SSL/TLS certificate from a SSL provider (CA). i.e. GoDaddy
Copy the certificate request (server.csr) from above into a SSL provider (CA) web form and select a SHA-2 algorithm (SHA-256, SHA-384, SHA-512). You will receive a PEM or CRT certificates seen below. Note: You may also receive some of the CA's intermediate root certificates.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
6. Concatenate the server's private key (server.key) and the certificates into a single file. See example below.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
SKIP TO STEP 9.
7. Skip to step 8 if you have a PEM or CRT file. Otherwise, start "Win64 OpenSSL Command Prompt". Export the certificate from the PFX file [using the SSL cert password] to a PEM file using the command below. The command below will prompt for the SSL cert password (aka import password). Note: The folder path will vary due to user performing this task, so this is an example. A PFX file, also known as PKCS #12 , is a single password protected certificate archive that contains the entire certificate chain plus the matching private key. Essentially it is everything that any server will need to import a certificate and private key from a single file.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
8. Open the PEM or CRT file in notepad and save as a txt file. i.e. c:\users\lzakin\server.txt
9. Verify the txt file using the KYRTool. Open a command prompt in the Notes program folder and use the command below. Note: The folder path will vary due to user performing this task, so this is an example. It should display "Successfully read 2048 bit RSA private key" and 5 more informational lines.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
10. Create a new keyring file. Open a command prompt in the Notes program folder and use the command below.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
11. Import the keypair and SSL provider (CA) signed certificate. Open a command prompt in the Notes program folder and use the command below. Note: Is should display at least 3 lines which include words "Successfully read" and "succeeded".
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
12. Optional: Examine the resulting keyring file.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
13. Rename the keyring.kyr and keyring.sth file to the key file name configured in the Domino Directory Internet Site document or Server document. i.e. MyKeyFile.kyr, MyKeyFile.sth
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
14. Remote into the Domino web server and open the Domino server data folder. Backup the existing key files if this is a SSL renewal. i.e. MyKeyFile_OLD.kyr, MyKeyFile_OLD.sth
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
15. Copy the KYR and STH keyring files from the Notes data folder on your desktop to the Domino server data folder.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
16. Issue console command below on Domino server.
[Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
Reference Sources
[Section is hidden. Open a service case for support, or login to authenticate.]
| B |