Установка wildcard-сертификата на Domino: dolphinchamp

dolphinchamp

Установка wildcard-сертификата на Domino

Mar 21, 2017 15:23

Please note that the steps are written using Microsoft as the workstation operating system and the wildcard certificate is installed on Internet Information Services.

A Lotus Notes Administrator client running version 9.0.1 FP2 IF2 at a minimum
OpenSSL.
The Domino Keyring Tool.
A low level editor such as Notepad++

The Domino Keyring Tool can be downloaded at
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc

1. First export the wildcard certificate from your Internet Information Services server as a pfx file. Make sure to export the private key and all certificates in the chain if possible.

In the following steps the pfx file was exported to a folder named cert on the C drive of the workstation.

Open a Windows command prompt and start OpenSSL, Issue the following command to convert the exported pfx file to a pem file

pkcs12 -in
-out
-nodes -chain

e.g

pkcs12 -in c:\cert\test.pfx -out c:\cert\server.pem -nodes -chain

2. Open the resulting pem file with Notepad++ You should see the Private key and certificate information for your wild card certificate and if exported also the intermediate and root certificate for your CA..

If only the private key and certificate information for the wild card cert are available you will have to export the intermediate and root certificate information from the pfx file using certmgr.msc using the following sub steps or request these from your certificate provider.

3. Open certmgr.msc and import the .pfx file.

4. Open the exported intermediate and root certificate file using Notepad ++

5. Create a new document in Notepad ++

6. Copy in the private key and certificate information for the wild card certificate from the pem file.

7. Then copy in the certificate information for the intermediate certificate(s) and finally the root certificate and save the file as server.txt

8. You can now verify the certificate information is correct in the srever.txt file using the kyrtool.
This will confirm that the certificate information is correct and that the certificate information is in the correct order.

Open a new Windows command prompt and navigate to your Notes program directory and issue the command

kyrtool verify

e,g

kyrtool verify c:\cert\server.txt

Make sure the response does not indicate any errors and that the final certificate in the chain is self signed (all root certificates even those from third party CAs are self signed)

9. If you have no errors use the kyrtool to create a new key ring, by using the following command

kyrtool create -k
-p

e,g

kyrtool create -k c:\cert\keyring.kyr -p aneasypassword

This command will also create the stash file for the keyring which is required for Domino to use the keyring file, It will have the same name as the key ring file but uses the .sth extension.

10. If you have no errors, use the kyrtool to import from the data from the server.txt file to the key ring file, by using the following command

kyrtool import all -k
-i

e.g

kyrtool import all -k c:\cert\keyring.kyr -i c:\server.txt

11. If you do not receive any errors importing the certificates into the key ring file, back up your server's current key ring and stash files (.kyr and .sth).

Copy over the new key ring file and sth file from your Notes client to the data directory of your server. If required edit the server document for the server to point to the new key ring file.

Restart your Domino server and once restarted confirm that you can reach the server using a HTTPS connection on your browser.

12. Once you can connect without issue using HTTPS you should then delete the entire cert folder and all files from your workstation.

Отсюда: http://www-01.ibm.com/support/docview.wss?uid=swg21697002

lotus, ssl, domino, https