Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

Workaround for startssl and Domino

Hi,

I don’t know if you still need it but here is my workaround to get a StartSSL free certificate in Domino.

I use OpenSSL on my Linux server to create a new certificat:
Here are the command I used to create a key and a csr file:
* openssl genrsa -des3 -out keyfile.key 2048
* openssl req -new -key keyfile.key -out request.csr (Answer the usual question)

Ask the certificate at startssl with the CSR file.

With your new cert file, you have to create a PKCS (.p12) key file using openssl:
* openssl pkcs12 -export -in cert.crt -inkey keyfile.key -out cert.p12

Create a new keyring (.kyr) file, using the certsrv.nsf database using the SAME information from the linux certificate.

Import the StartSSL Root certificate into the key ring file:
Get the "ca.pem" certificate and Merge it into your kyr file.
Get the "Sub Class 1" certificate and Merge it into your kyr file.

Now the tricky part…
To import the .p12 file into a Domino keyring, you need GSK5-iKeyMan. I used the one linked on the “Turtle Partnership Blog” from the first post: (ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip)
(This tool might not work in Windows Vista and newer OS, it’s working in 2003)
Extract the gsk5-ikeyman.zip file into a directory that has no spaces in the name
Start the command line shell (cmd), change directory to the directory where you extracted gsk5.
Execute the following command: gskregmod.bat Add
Run IKeyman by executing: runikeyman.bat
Open the keyfile.kyr file that we created earlier and enter the keyring password.
Select Personal certificates and click Import
Select the certificate file (.p12) and enter the certificate's password.
Shutdown IKeyman and copy the keyfile.kyr and matching keyfile.sth to your Domino server's data directory.

Configure your Domino server to use this keyring file and restart the http task (or restart domino).


*** Weird thing… When I tried to Import my “www.mydomain.com” PKCS key into my keyring, I got a bad p12 certificat error from gsk5. Everything went well with my 3 other “test” keyring. To test my keyring, I imported my “test.p12” file into my “www” keyring and it worked. I then retry to import my “www.p12” into the keyring and it was now ok. I removed the “test” certificate from the keyring. I noticed that my “www.crt” was not the same size as my test.crt file… maybe something is missing in the www one!!!!
(I hope I’m clear enough ;-)

With this procedure, I can even import any of my existing certificates into a keyring.

Have a nice free SSL testing!!! :-)

Pat


Feedback response number WEBB8H8UMU created by ~Frank Xantumi on 05/26/2011

SSL certificate for Domino with SHA... (~Keiko Xanhipiv... 22.Mar.10)
. . I have the same problem (~Wei Fezjumizen... 18.Feb.11)
. . . . Workaround for startssl and Domino (~Frank Xantumi 26.May.11)
. . . . . . Signed certificate import error (~Phil Brerester... 11.May.12)
. . . . . . . . Import Ok for me in 2048bit (~Frank Xantumi 19.May.12)
. . . . . . . . Workaround for startssl (~Hank Kirelitgo... 20.Oct.12)




Printer-friendly

Search this forum

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS