Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by:

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates 
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: https://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: https://ibm.co/1SAYX5E
Fixcentral long: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:

1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: https://stage.infoware.com/?p=7226

 

2

Comments

  1. Pontus Wennergren  March 15, 2020

    Kyrtool.exe can no longer be downloaded separatly, it is now part of the Domino server installment.

    reply
    • Mats  May 28, 2020

      That is bad I think
      It could be part of admin client

      reply

Add a Comment