Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Previous Document Next Document

The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

Thomas Hampel
 7 May 2014

Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see
http://technet.microsoft.com/en-us/security/advisory/2661254
Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.

1. Open the csrv50.ntf in Domino Designer

or if you wish, create a new database from this template and modify the new database instead.

2.. Edit the form "CertAdminCreateKeyringWithSelfCert"

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

in this form we are going to add two new fields to this form, the result should look like this:

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.1. Add a new field "KeySize"

Hint: You can copy the field "KeySize" from another form called "CertAdminCreateKeyring"

2.2. Change the field properties of "KeySize" to be 1024 & 2048,

there should be no need to create keys with any lower key length anymore.

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.3. Make sure to set a default value for the field "KeySize"

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.4 Add a field "ValidFor", as an editable text field

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.5. Make sure to set a default value for the field "ValidFor",

in this example its 2 years (=730 days)

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.6. Define an Input Validation formula

this is to make sure no empty string is returned. Remark: Yes, I know we could have used a field of type number for better validation...
The formula used here is :  @If(ValidFor = "";@Failure("You must define for how long the certificate will be valid");@Success)

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.7. Modify the Script behind the Button "Create Key Ring with Self-Certified Certificate"

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

and add the following piece of code just before the line "KeyRingFileName$ = FixFileName...."

'# allow custom expiration length
ValidFor$ = doc.GetItemvalue ("ValidFor")(0)
CmdArgs = CmdArgs & |ValidDays=| & ValidFor$ & |;|

'# allow custom key size
KeySize$ = doc.GetItemValue ("KeySize")(0)
CmdArgs = CmdArgs & |KeySize=| & KeySize$ & |;|


The result should somewhat look like this:

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

2.8 Save the modifcations made above and close the form.


From a technical point this is already enough to create new self signed certificates with an higher key length,
However, we want to display the results correctly, so some further modifications are required in order not to confuse the admin when results are displayed.

3.  Edit the form "DlgConfirmCreateSelfCert"

This is the dialog box which displays the result when the certificate has been created

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

3.1 Change the formula in the field "EndDate"

from : @Adjust( @Today;1;0;0;0;0;0 )
to : @Adjust( @Today;0;0;@TextToNumber(ValidFor);0;0;0 )

the result should look like this.

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

3.2 Save and close the form.


4. Testing

Now that all the required modifications are done, lets try to create a new certificate...

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
....of course for using the certificate in production you should use a stronger key ring password than me in this example,
and the "Common Name" would of course be the fully qualified URL of the Domino server

Hint: if you forgot the password, see this blog post on how to
recover your Domino SSL Keystore password

A few seconds after clicking on "Create Key ring with Self-Certified Certificate", this prompt should appear, confirming the key ring has been created.

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

5. Verification


5a) One option to view the result is to use the same Domino Server Certificate Administration database "View & Edit Key Rings"
just click "Select Key Ring to Display" and specifiy the file name....

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
Next, enter the key ring file password, and double click the KeyPair...

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
...to see the results

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

5b) another option is to use (an old version of) the iKeyman utilty which is capable of reading the *.kyr file format.

This version will work just fine.... opening the *.kyr file should display details like this
Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

6. Using the newly created certificates

Configure the Domino server to use the SSL certificates:
6.1. Copy the key ring files created previously into the Data directory of the Domino server. You might want to use a subdirectory like "keyfiles\" .
6.2. Open the Server document for this server. Go to the Ports -> Internet Ports tab.
6.3. If necessary, change the entry in the SSL key file name field to reflect the name of the server key ring file, include the path & file name relative to the Domino Data directory.
6.4. Make sure that SSL port status is set to enabled. Optionally, to force SSL to be used for all connections, change "TCP/IP Port Status" to "Redirect to SSL."
6.5. Save and close the Server document.
6.6. Restart the HTTP task at the server console.

7. See the SSL Certificate in a web browser of your choice

Navigate to the URL (or IP address) of the Domino server.
For a self signed certificate you'll see a warning like this...

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

6.1 Check the certificate

Within the security warning above, open the section "I understand the Risks" and click the button "Add Exception" and click "View Certificate"

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
Within the details of the certificate you should be able to see the correct names and key strength details:

Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

Summary

With the modifications made above, creating self signed certificates with extended lifetime and a key size of up to 2048 bit is not a problem anymore.

Of course there is a lot more to say about SSL in Domino, for now lets conclude with
Notes Sensei's words : YMMV

References:
Tagged with: Best Practice Domino How-To SSL
Comments

1.) The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

Vladislav Tatarincev http://www.vlaad.lv 07.05.2014 9:46:48

Thanks! great job, hope template will be updated, to proper key length. :)

great article.

2.) The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

Stephan H. Wissel http://www.wissel.net/ 08.05.2014 19:05:27

The article nicely describes strong self signed certificates. However they can be quite a headache when playing with mobile devices. So I usually recomment to create your own CA (using OpenSSL command line tools) and then based on that an SSL certificate. You then can import the CA's public root certificate into browsers and mobile devices of your intendet audience (works well for corporate apps) and no scary message pops up

3.) Comment

Laszlo Gabor Nagy http:// 10.02.2015 10:07:44

Another excellent document, thx!

Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.