Creating an easy to deploy SSL certificate in PEM format

When ordering a secure certificate, most often one has to deal with the following files:

  • certificate key file (aka private key): .key
  • certificate request file: .csr
  • primary certificate file (issued by the CA): .crt
  • certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

  • download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
  • paste the entire body of each certificate one by one into one text file in the following order:
    • domain.key
    • domain.crt
    • sf_bundle.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

The number of

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

sections will depend of the length of the certificate trust chain.


Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Verifying SSL Certificates

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR


openssl req -noout -text -in [domain_name].csr

Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate


openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate


openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:

openssl rsa -noout -modulus -in [domain_name].key |openssl md5
openssl req -noout -modulus -in [domain_name].csr |openssl md5
openssl x509 -noout -modulus -in [domain_name].crt |openssl md5


How to add a secure cert to IIS on Windows

To add an SSL cert to IIS 5 on Windows, you need three separate steps:

  • Create a p12 (pkcs12) cert file:
cat server.key server.crt > server.pem
openssl pkcs12 -export -in server.pem -out server.p12 -name "server"

  • Import the p12 file into IIS:
Start->Run->mmc
Ctrl+M
Add...
Certificates
Computer Account
Finish
Close
OK
Open "Certificates (Local Computer)" tree
Right click Certificates
All Tasks->Import...
Browse to .p12 cert
Next
Next
Next
Finish

  • Select cert for site:
Open IIS Admin
Select properties of website
Select Directory Security Tab
Server Certificate...
Next
Assign existing cert
Next
Select Cert
Next
Next
Finish
Web Site tab
SSL Port 443
Apply
OK

Also if there isn’t separate IIS installed we can also attach the certificate from cmd:
Start / Run / cmd
List current certificates attached to the ports:
netsh http show sslcert
Add new certificate to a port:
netsh http add sslcert ipport=0.0.0.0:PORTNUMBER certhash=THUMBPRINT appid=GUID
PORTNUMBER: ipport=0.0.0.0: will remain untouched, just need to specify the port, for example:
ipport=0.0.0.0:443
THUMBPRINT: this is the thumbprint of the certificate. You can check this thumbprint by double click on the certificate in the certificate store,select Details, and “Thumbprint”. Use this without white spaces, for example: 42 b3 f1 c1 d1… will be 42b3f1c1d1…
GUID: this should be generated with Guidgen.exe .

Example command: netsh http add sslcert ipport=0.0.0.0:443 certhash=42b3f1c1d1c1fg8dd81sd1 appid={CJKC07D-8D1D-CCSa-CS1s-VSF1CS1dsX}


Do you need a secure certificate (SSL/HTTPS) for your site?

A secure certificate (aka SSL cert) allows a web site to secure the connection between the web server and the visitor. That allows the protection of the users’ privacy and the confidentiality of the data. A secure certificate technically does the following two things:

  • Guarantee that the website you are looking at is truly the website you are expecting to look at (to avoid “man in the middle” attacks)
  • Encrypt the connection so that 3rd parties that are trying to “sniff” the data can not discover the contents

In order to begin timely processing of a secure certificate order we will need the following documentation:

Proof of Organization, which can be any of the following:

  • DUNS number (Dun and Bradstreet)
  • Articles of Incorporation or Business License
  • Doing Business As (DBA) registration
  • Sole Proprietorship documentation

Please note: Company name and addresses listed on these documents will need to match the current domain registration company name and address. You can look up your domain registration information here: http://opensrs.org/cgi-bin/whois.cgi

Please email, [email protected], or fax, 1-720-294-0933, the documents to us.