Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for Domino

By Andrew Pollack on 11/10/2014 at 03:48 PM EST

I went through the process to understand what IBM is saying in their patch information -- and while it's valid, it's also harder than it needs to be (IMCO) for people already used to doing things the Domino way. If you're already familiar with using the server certification database to create the keyring and make the certificate request certificate (CSR) you can keep using it. This is also helpful if you already have a SHA1 based certificate and you just want to re-issue.

Note: This resolves the browser warnings about SHA1 certificates that have already started, and covers the published use cases from now until sometime in Q1, 2015. Starting in Q1 2015 you will need not only the SHA2 certificates but also an SHA2 public/private keypair. Using a new SHA2 certificate with an old SHA1 keypair will result in a "Secure with minor errors" indicator on the status bar of the browser starting then. Fixing that means generating a whole new keyring and right now the certificate database cannot do that using the new protocol. To do that, you'll need to use steps 1 and 2 in IBM's full list of steps. Hopefully that will change as newer versions of the certificate database tool are created. The kyrtool.exe seems to be able to create a new keyring but it cannot seem to create a certificate request directly. You'll need to use openSSL for that so you may as well use it for both of those steps then import it into a Domino style keyring using the kyrtool.

So, here's what you need, at a minimum right now.

1. Make sure your Domino server is at least version 9.0 (preferably 9.0.1 Fix Pack 2 with the 901FP2HF installed) and your Notes Admin Client is 9.0.1 Fix Pack 2 with 901FP2HF installed
* You can get the fix packs and hot fixes from IBM fix cental.

2. Download the new KyrTool from IBM. Copy the 32 bit windows version to your Notes Admin Client program directory.

3. Use the same process you always have to create a certificate request and get your ssl certificate form your ssl provider.
* This process will let you use an SHA2 certificate but does not result in you having an SHA2 encrypted private key.


** When the provider issues the new certificate, DO NOT use the certificate database to import it. That won't work (yet). Instead, you take these steps from the OS prompt

4. Copy your keyring and password files from the server to a temp location (e.g. c:\temp\mykeyring-sha2version.kyr, c:\temp\mykeyring-sha2version.sth)

5. Copy the certificate and any root and intermediate certifiers provided by the SSL povider to that directory.

6 Import the root certificate and any intermediate certificates into the keyring (try to go in order, top level first)

C:\NOTES>  kyrtool.exe import roots -i c:\temp\carootcert.crt -k c:\temp\mykeyring-sha2version.kyr
C:\NOTES>  kyrtool.exe import roots -i c:\temp\caIntermediate1.crt -k c:\temp\mykeyring-sha2version.kyr
C:\NOTES>  kyrtool.exe import roots -i c:\temp\caIntermediate2.crt -k c:\temp\mykeyring-sha2version.kyr

7. Import the new certificate from the SSL provider into the keyring

C:\NOTES>  kyrtool.exe import certs -i c:\temp\newcertificate -k c:\temp\mykeyring-sha2version.kyr

8. Copy the new keyring and password files to the server and start using them.


There are  - loading -  comments....

re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Howard on 11/10/2014 at 04:55 PM EST
Hi Andrew, thanks, so, is there any downside to the issue you noted in step 3
about the private cert not being encrypted with SHA-2?

Howard
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Andrew Pollack on 11/10/2014 at 05:12 PM EST
Not today, Howard - but starting in Q1 2015, Chrome and some other browsers
will start indicating that the site is "secure with minor errors" if there is
an sha1 certificate anywhere in the chain, including the base key pair.

This won't be the same huge glaring error they'll start using at that time for
sha1 end point leaf certificates (the red line crossing out https) that will
indicate "Not Secure" but rather just the little yellow triangle you get, just
like if you have an image resource that is coded to use http rather than https.
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Howard on 11/10/2014 at 05:30 PM EST
So, if you just create a new key using the instructions from IBM that you
referenced do you have this issue? thanks,
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Andrew Pollack on 11/10/2014 at 06:31 PM EST
No, If you have access to openSSL already, and you're not just re-issuing from
a previous CSR to the existing keyring and original certificate, you're best
off generating the whole thing new using the better encryption.

The issue is that some ssl certificate providers will want to charge for a new
certificate in that case.
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Howard on 11/11/2014 at 09:20 AM EST
I see, so, you just use your old kyr file and request a new csr using the
Domino certreq and don't use OpenSSL at all.

I will have to check to check with my provider to see what they need to do a
reissue.

Howard
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Dan Silva on 11/11/2014 at 09:17 AM EST
Hi Andrew, can you confirm those Interim Fixes numbers? AFAIK there's no IF3
for Domino 9.0.1 FP2.

Thanks,
Dan
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Andrew Pollack on 11/11/2014 at 09:19 AM EST
Sorry, that should be "HF" (for the POODLE/SSLv3 Hot Fix)

I'll change it in the main article. Thanks.
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Ken Cook on 11/14/2014 at 03:30 AM EST
Hi Andrew, I have a strange one, my customer has already requested and recieved
SHA-2 certs from Entrust, using IIS7 ... now when I concatenate the RSA keypair
with the certs in the right order and verify it using kyrtools, it shows ...
Successfully read 4096 bit RSA private key
INFO: Successfully read 4 certificates
ERROR: Private key does not match leaf certificate
Then 4 lines of INFO with the cert connections all ok ...
Is this because the CSR wasn't created using Domino's method or something else?
Also if a self-signed cert is used will this look and act the same in browsers
when the new SHA-2 checking is enabled next year?
Thanks
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Andrew Pollack on 11/14/2014 at 06:23 AM EST
The CSR probably wasn't created from the base key pair you're using. You start
with a specific public/private keypair, and generate the CSR using that plus
your request parameters. If you import a certificate that was made from a CSR
that was itself not made from your private key, it won't work. It could also
be that you're not using Domino 9.
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Ken Cook on 11/16/2014 at 04:33 PM EST
I'm using Domino 9 with IF1 for TLS & SHA-2 support & my Admin client has the
IF too ... Entrust say it won't work either if CSR is from IIS7 ... So I'll
create a new CSR using Domino ... Thanks
Any comment on my 2nd question re using self-signed certs?
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Niel Revelle on 12/12/2014 at 02:31 PM EST
I'm getting the same error "Private key does not match leaf certificate". I'm
using GoDaddy for my SSL provider. Anyone found a solution to this?
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Don on 02/25/2017 at 06:41 PM EST
I know it's been a few years since you post, but I'm experiencing difficulties
with getting a cert from GoDaddy as well. Did you ever find a solution?

C:\Lotus\Notes>kyrtool verify c:\ssl\schreiberweb.txt


KyrTool v1.1

Successfully read 4096 bit RSA private key
INFO: Successfully read 3 certificates
ERROR: Private key does not match leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: Final certificate in chain is self-signed


C:\Lotus\Notes>kyrtool import all -k c:\ssl\stikeyring.kyr -i
c:\ssl\schreiberweb.txt

Using keyring path 'c:\ssl\stikeyring.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

C:\Lotus\Notes>kyrtool import all -k c:\ssl\stikeyring.kyr -i
c:\ssl\schreiberweb.txt

Using keyring path 'c:\ssl\stikeyring.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded


C:\Lotus\Notes>kyrtool show keys -k c:\ssl\stikeyring.kyr

Using keyring path 'c:\ssl\stikeyring.kyr'

Error 0x0E59 reading keypair from keyfile c:\ssl\stikeyring.kyr

One possible cause of this failure is that the API used for this
command only returns keys if they have a certificate.


Certificate, private key or CRL was not found
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Khandakar Amir Faisal on 01/20/2015 at 05:51 AM EST
How do you create the mykeyring-sha2version.kyr keyring? Can you give us an
explanation?
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Lophney on 03/20/2015 at 06:59 PM EDT
Thanks for the greatly simplified use of this incredibly cryptic tool
re: Simplified explanation and steps for upgrading to SHA-2 encrypted SSL certificates for DominoBy Toby J H on 02/23/2016 at 01:19 PM EST
Here's a tip, and an oddity, the first two root certificates, when we added
them, kyrtool did not give any feedback. When we used it however we discovered
only the first root was successful, the second was not. We went through the
whole process again, no feedback on the first cert, but the second this time
said successful. This time, all intermediate certs were successful. No typos,
etc. So, if it does not work, just do it again, I guess.


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.