The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
Thomas Hampel
7 May 2014Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....
When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see http://technet.microsoft.com/en-us/security/advisory/2661254
So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
1. Open the csrv50.ntf in Domino Designer
or if you wish, create a new database from this template and modify the new database instead.
2.. Edit the form "CertAdminCreateKeyringWithSelfCert"
in this form we are going to add two new fields to this form, the result should look like this:
2.1. Add a new field "KeySize"
Hint: You can copy the field "KeySize" from another form called "CertAdminCreateKeyring"
2.2. Change the field properties of "KeySize" to be 1024 & 2048,
there should be no need to create keys with any lower key length anymore.
2.3. Make sure to set a default value for the field "KeySize"
2.4 Add a field "ValidFor", as an editable text field
2.5. Make sure to set a default value for the field "ValidFor",
in this example its 2 years (=730 days)
2.6. Define an Input Validation formula
this is to make sure no empty string is returned. Remark: Yes, I know we could have used a field of type number for better validation...
The formula used here is : @If(ValidFor = "";@Failure("You must define for how long the certificate will be valid");@Success)
2.7. Modify the Script behind the Button "Create Key Ring with Self-Certified Certificate"
and add the following piece of code just before the line "KeyRingFileName$ = FixFileName...."
'# allow custom expiration length
ValidFor$ = doc.GetItemvalue ("ValidFor")(0)
CmdArgs = CmdArgs & |ValidDays=| & ValidFor$ & |;|
'# allow custom key size
KeySize$ = doc.GetItemValue ("KeySize")(0)
CmdArgs = CmdArgs & |KeySize=| & KeySize$ & |;|
The result should somewhat look like this:
2.8 Save the modifcations made above and close the form.
From a technical point this is already enough to create new self signed certificates with an higher key length,
However, we want to display the results correctly, so some further modifications are required in order not to confuse the admin when results are displayed.
3. Edit the form "DlgConfirmCreateSelfCert"
This is the dialog box which displays the result when the certificate has been created
3.1 Change the formula in the field "EndDate"
from : @Adjust( @Today;1;0;0;0;0;0 )
to : @Adjust( @Today;0;0;@TextToNumber(ValidFor);0;0;0 )
the result should look like this.
3.2 Save and close the form.
4. Testing
Now that all the required modifications are done, lets try to create a new certificate...
....of course for using the certificate in production you should use a stronger key ring password than me in this example,
and the "Common Name" would of course be the fully qualified URL of the Domino server
Hint: if you forgot the password, see this blog post on how to recover your Domino SSL Keystore password
A few seconds after clicking on "Create Key ring with Self-Certified Certificate", this prompt should appear, confirming the key ring has been created.
5. Verification
5a) One option to view the result is to use the same Domino Server Certificate Administration database "View & Edit Key Rings"
just click "Select Key Ring to Display" and specifiy the file name....
Next, enter the key ring file password, and double click the KeyPair...
...to see the results
5b) another option is to use (an old version of) the iKeyman utilty which is capable of reading the *.kyr file format.
This version will work just fine.... opening the *.kyr file should display details like this
6. Using the newly created certificates
Configure the Domino server to use the SSL certificates:
6.1. Copy the key ring files created previously into the Data directory of the Domino server. You might want to use a subdirectory like "keyfiles\" .
6.2. Open the Server document for this server. Go to the Ports -> Internet Ports tab.
6.3. If necessary, change the entry in the SSL key file name field to reflect the name of the server key ring file, include the path & file name relative to the Domino Data directory.
6.4. Make sure that SSL port status is set to enabled. Optionally, to force SSL to be used for all connections, change "TCP/IP Port Status" to "Redirect to SSL."
6.5. Save and close the Server document.
6.6. Restart the HTTP task at the server console.
7. See the SSL Certificate in a web browser of your choice
Navigate to the URL (or IP address) of the Domino server.
For a self signed certificate you'll see a warning like this...
6.1 Check the certificate
Within the security warning above, open the section "I understand the Risks" and click the button "Add Exception" and click "View Certificate"
Within the details of the certificate you should be able to see the correct names and key strength details:
Summary
With the modifications made above, creating self signed certificates with extended lifetime and a key size of up to 2048 bit is not a problem anymore.
Of course there is a lot more to say about SSL in Domino, for now lets conclude with Notes Sensei's words : YMMV
References:
- Special Thanks to Thomas Bahn for his blog post Creating Self-Certified SSL Certificates Valid Longer Than One Year
- Recover your Domino SSL Keystore password
- Test SSL configuration of your web site with http://checktls.com/
- Lotus Domino Certification Authority Tutorial
- Wildcard SSL certificate from O12/PFX file tino Domino by Mats Ekman / Infoware
Comments
1.) The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
Vladislav Tatarincev http://www.vlaad.lv 07/05/2014 9:46:48
Thanks! great job, hope template will be updated, to proper key length. :)
great article.
2.) The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino
Stephan H. Wissel http://www.wissel.net/ 08/05/2014 19:05:27
The article nicely describes strong self signed certificates. However they can be quite a headache when playing with mobile devices. So I usually recomment to create your own CA (using OpenSSL command line tools) and then based on that an SSL certificate. You then can import the CA's public root certificate into browsers and mobile devices of your intendet audience (works well for corporate apps) and no scary message pops up