Create 4096 Bit / SHA256 Domino Keyring Using PFX Multidomain Certificate

Mindwatering Incorporated

Author: Tripp W Black

Created: 04/13/2017 at 05:12 PM

 

Category:
Domino Upgrades / Installations
Software (Re)Configuration

Issue:
You have a PFX certificate used w/other networking devices that already did the CRT / certificate request. You want to use the resulting multi-name domain in the newer SHA-2 keyrings.

Notes:
Beginning in 9.0.1 FP3, there is a new Kyrtool (32 bit on MS Windows, 32 or 64 bit on Linux). Use OpenSSL for conversion between formats, but for Domino only, the new command line Kyrtool works well.

These instructions assume OpenSSL and the new keytool from IBM are installed on a Linux workstation or Linux server. Make sure you protect the private keys and clean up afterwards.

Convert the files to PEM
1. Copy the PFX and the intermediate and root CRT files to the workstation / server running OpenSSL.
2. Enter the following commands to merge the keys into a new PEM file.
$ cd /home/myadminid/
$ openssl pkcs12 -in mydomain.com.pfx -out mydomain.com.nokey.pem -nokeys
$ openssl pkcs12 -in mydomain.com.pfx -out mydomain.com.withkey.pem
$ openssl rsa -in mydomain.com.withkey.pem -out mydomain.com.key
$ cat mydomain.com.nokey.pem mydomain.com.key > mydomain.com.combo.pem

Note: This file has the completed PEM file with key and cert. (No intermediates and roots.)

3. Convert the CRT files to CER files, if NOT already base64 PEM format.
$ cat filenameforintermediate.crt
$ cat filenameforroot.crt
If you see ----BEGIN CERTIFICATE---- and its ending tag, you should be good to go to merge.
or to be more sure, you can confirm with openssl:
$ openssl x509 -in filenameforintermediate.crt -text -noout

If they are in DER format, you can confirm this with openssl:
$ openssl x509 -in filenameforintermediate.der -inform der -text -nowout
Convert them w/something like:
$ openssl x509 -in filenameforintermediate.der -outform crt -out filenameforintermediate.crt

4. Add the intermediate and then root file apending to the combo pem file in step 2 above.
$ cat mydomain.com.combo.pem filenameforintermediate.crt filenameforroot.crt > mydomain.com.txt

So for Comodo, you might do this (order matters mydomain-up-to-root):
$ cat mydomain_com.key mydomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.txt
( order: server.key --> server.crt --> intermediate.crt --> root.crt )
Notes:
You are now ready to import the certificates and key into a new keyring.
It's easier at this point to copy the keyring file to the kyrtool location (Notes or Domino program directory) and run there.
$ cp mydomain.com.txt /local/notesdata/mydomain.com.txt

5. Create the new keyring:

Linux:
Notes:
Your path for the notes or domino install may be different.
Run the kyrtool as the notes/domino user (e.g. mynotesid).
$ su mynotesid
$ cd /local/notesdata

$ /opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini create -k /local/notesdata/mydomain.com.kyr -p keyringpassword

6. Test and verify the final text file:
Test first:
$ /opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini verify /local/notesdata/mydomain.com.kyr

Notes:
if you get an ELF message, "libnotes.so: wrong ELF class: ELFCLASS32", then you copied to the server the wrong version of kyrtool (e.g. 64-bit for Domino 32-bit). This occurs when you have an older Traveler server before traveler became 64-bit, so the Domino server is still 32-bit.
If you get an error "libnotes.so: cannot open shared object file", you are running it directly. Use the startup tool.

If you are doing a renewal and you built a file (mydomain.com.txt) which contains the server, intermediate cert(s), and the root cert, then ignore the error that there is no key when you verify the file. You should also adjust the import command below so that you are doing an import certs instead of an import all.

Import:
$ /opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini import all -k /local/notesdata/mydomain.com.kyr -i /local/notesdata/mydomain.com.txt

7. Now remove the mydomain.com.txt from the Notes client or server workspace folder.
$ rm /local/workspace/mydomain.com.txt

Backup and store the working files in /home/myadmin/ and /local/notesdata/ folders and then remove them from the server, if you did this on a server.
If you did this on a workstation move the mydomain.com.kyr and mydomain.com.sth files to the Domino server /local/notesdata (data) folder.

8. Configure SSL for Domino server if not already done. (This is well documented in this support reference library and the the IBM documentation.)
9. Restart the Domino HTTP, SMTP, LDAP, and IMAP services using the new key. Verify the new SSL key is in use and that browsers and the Domino console show no errors with the new SSL keyring.



previous page