|Professional Services||Second Signal||Presentations||Andrew's Blog||Support|
I went through the process to understand what IBM is saying in their patch information -- and while it's valid, it's also harder than it needs to be (IMCO) for people already used to doing things the Domino way. If you're already familiar with using the server certification database to create the keyring and make the certificate request certificate (CSR) you can keep using it. This is also helpful if you already have a SHA1 based certificate and you just want to re-issue.
Note: This resolves the browser warnings about SHA1 certificates that have already started, and covers the published use cases from now until sometime in Q1, 2015. Starting in Q1 2015 you will need not only the SHA2 certificates but also an SHA2 public/private keypair. Using a new SHA2 certificate with an old SHA1 keypair will result in a "Secure with minor errors" indicator on the status bar of the browser starting then. Fixing that means generating a whole new keyring and right now the certificate database cannot do that using the new protocol. To do that, you'll need to use steps 1 and 2 in IBM's full list of steps. Hopefully that will change as newer versions of the certificate database tool are created. The kyrtool.exe seems to be able to create a new keyring but it cannot seem to create a certificate request directly. You'll need to use openSSL for that so you may as well use it for both of those steps then import it into a Domino style keyring using the kyrtool.
So, here's what you need, at a minimum right now.
1. Make sure your Domino server is at least version 9.0 (preferably 9.0.1 Fix Pack 2 with the 901FP2HF installed) and your Notes Admin Client is 9.0.1 Fix Pack 2 with 901FP2HF installed
* You can get the fix packs and hot fixes from IBM fix cental.
2. Download the new KyrTool from IBM. Copy the 32 bit windows version to your Notes Admin Client program directory.
3. Use the same process you always have to create a certificate request and get your ssl certificate form your ssl provider.
* This process will let you use an SHA2 certificate but does not result in you having an SHA2 encrypted private key.
** When the provider issues the new certificate, DO NOT use the certificate database to import it. That won't work (yet). Instead, you take these steps from the OS prompt
4. Copy your keyring and password files from the server to a temp location (e.g. c:\temp\mykeyring-sha2version.kyr, c:\temp\mykeyring-sha2version.sth)
5. Copy the certificate and any root and intermediate certifiers provided by the SSL povider to that directory.
6 Import the root certificate and any intermediate certificates into the keyring (try to go in order, top level first)
C:\NOTES> kyrtool.exe import roots -i c:\temp\carootcert.crt -k c:\temp\mykeyring-sha2version.kyr
C:\NOTES> kyrtool.exe import roots -i c:\temp\caIntermediate1.crt -k c:\temp\mykeyring-sha2version.kyr
C:\NOTES> kyrtool.exe import roots -i c:\temp\caIntermediate2.crt -k c:\temp\mykeyring-sha2version.kyr
7. Import the new certificate from the SSL provider into the keyring
C:\NOTES> kyrtool.exe import certs -i c:\temp\newcertificate -k c:\temp\mykeyring-sha2version.kyr
8. Copy the new keyring and password files to the server and start using them.
Please wait while your document is saved.