Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

First look at a new free Domino SSL certificate tool

By Andrew Pollack on 12/01/2014 at 05:19 PM EST

I've coded something that I plan to release to the community if there is enough interest. It's designed to make the process of getting SHA2 certificates a little easier. I've had to request a fair number of these recently and the command line stuff is tedious and it's easy to make mistakes or misplace the various files. This tool uses the same steps as the process IBM documents and the same tools. You still have to install openSSL and the kyrtool update on your 9.x Admin client machine. The tool checks to make sure all this is in place before it tries to do anything. Essentially, this is just a front end for a scripting tool.

This screen shot represents a "working prototype" -- and if there is enough interest, I'll finish cleaning it up and making it a little prettier and then letting it out there.

Workflow is like this:

1. Fill in the various CA required fields.

2. Click "Generate CSR" -- at this point, the keypair is generated and a certificate request is generated. The CSR is place in a text field labeled "CSR".

3. Copy the text in the CSR and give it to your SSL provider. Go through their validation process.

4. The SSL provider will give you back your certified "Leaf" certificate, their CA trusted root certificate, and often one or more "intermediate certificates". You paste each of these into the labeled text fields.

5. Click "Generate Keyring"

6. Domino's KYR and STH files are created. They'll be saved as file attachments to this main document. You can then deploy them.

I like the idea of using a single document for this and keeping all the parts on that document so that if you need to you can always re-generate the files. It also makes it easy to find them in the database by subject name.

Tell me what you think.



There are  - loading -  comments....

re: First look at a new free Domino SSL certificate tool By Ursus Schneider on 12/02/2014 at 02:42 AM EST
sound very interesting - hate doing the stuff via the command line. well done
:o) I, for one, would be interested in the tool. Thank you for all your hard
work!
re: First look at a new free Domino SSL certificate tool By Marcus on 12/02/2014 at 03:29 AM EST
as you said .. I used command line and had some typo. Your tool will decrease
my wasted time with kyrtool and openssl. Thanks
re: First look at a new free Domino SSL certificate tool By David on 12/02/2014 at 03:58 AM EST
This sounds like a superb tool, well done. One small request though... as I
manage a number of SSL certificates, all from the same provider, it would be
useful to be able to save the root and intermediate certificates for future
re-use, so I can just apply them all with 'one hit'
re: First look at a new free Domino SSL certificate tool By Jens on 12/02/2014 at 04:50 AM EST
Cool idea. I would also like this tool :-). So please make it public.
re: First look at a new free Domino SSL certificate tool By Lars on 12/02/2014 at 05:46 AM EST
Great idea. I could definitely use a tool like this to take the "hasle" with
different text files and order of certificates out of the process. Please make
it public. :-)

By the way. Would it be possible for this tool to provide an interface for
working with a certificate not issued to a Domino?... Something that we often
meet with wildcard certificates that are issued to IIS or Apache servers and
then has to be "ported" to a kyr file.
re: First look at a new free Domino SSL certificate tool By Lee on 12/02/2014 at 06:07 AM EST
Great stuff! Exactly what I was looking for.
re: First look at a new free Domino SSL certificate tool By Thorsten on 12/02/2014 at 07:06 AM EST
Such a tool would be great!!
re: First look at a new free Domino SSL certificate tool By Bill Kron on 12/02/2014 at 10:12 AM EST
Yes, please! :-)
re: First look at a new free Domino SSL certificate tool By Richard Fenwick on 12/02/2014 at 10:56 AM EST
I think this is a good idea... something IBM should have released with hotfix
for 9.0.1 FP2
re: First look at a new free Domino SSL certificate tool By Andrew Pollack on 12/02/2014 at 11:08 AM EST
I think it's something that it would be nice for IBM to release in a future
fixpack or in 9.0.2 -- but I think it was smart to roll out what they could the
minute the could in this case.
re: First look at a new free Domino SSL certificate tool By Ray Bilyk on 12/02/2014 at 01:23 PM EST
Nice job! I'd be very interested...
re: First look at a new free Domino SSL certificate tool By Oliver Busse on 12/02/2014 at 01:26 PM EST
Would love to see this as an OpenNTF project!
Thanks for sharing & drop me a note if you have any questions on how to add it
on OpenNTF :)
re: First look at a new free Domino SSL certificate tool By Andreas on 12/03/2014 at 02:11 AM EST
Excellent idea and thank you for the effort taken. Since I am a wrongtyper, I
really would like this tool.
re: First look at a new free Domino SSL certificate tool By Hubertus on 12/03/2014 at 03:30 PM EST
Yes, this will be very helpful. I hate command line tools too. Please go ahead
;-)
re: First look at a new free Domino SSL certificate tool By Martin on 12/04/2014 at 11:20 AM EST
This add-on tool would be welcome. Its not only convenient, but it adds quality
in terms of transparency and a basic protocol feature.
re: First look at a new free Domino SSL certificate tool By Carsten on 12/06/2014 at 10:02 AM EST
It would ease the life. I am very interested in it!


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.