NewPush » SSL

Creating an easy to deploy SSL certificate in PEM format

Balazs — Mon, 07 Nov 2011 17:03:02 +0000

When ordering a secure certificate, most often one has to deal with the following files:

certificate key file (aka private key): .key
certificate request file: .csr
primary certificate file (issued by the CA): .crt
certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
paste the entire body of each certificate one by one into one text file in the following order:
- domain.key
- domain.crt
- sf_bundle.crt
Make sure to include the beginning and end tags on each certificate. The result should look like this:
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

The number of
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
sections will depend of the length of the certificate trust chain.

Domino 8.5 SSL Key Import Into Keyring File

Bill — Sat, 09 Apr 2011 23:40:05 +0000

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

Create a kyr (keyring) file to hold the keys.
Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
Add the p12 (PKCS#12) file to the keyring.
Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:
openssl pkcs12 -export \ -in certificate-from-CA.crt \ -inkey certificate-key-file.key \ -certfile root-ca-bundle.crt \ -out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.
rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security
Add last provider to list:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.spi.IBMCMSProvider
remove conflicting jar file:
mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-
set environment:
set JAVA_HOME JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

Download and install IKEYMAN.
Open the kyr file in gsk5.
Import the p12 cert.
Save the new kyr file.

Domino Server SSL Key Management References

http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
http://www.deadspace.de/?p=294
ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.

Verifying SSL Certificates

Pete — Fri, 31 Dec 2010 00:53:26 +0000

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR

openssl req -noout -text -in [domain_name].csr
Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate

openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate

openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:
openssl rsa -noout -modulus -in [domain_name].key |openssl md5 openssl req -noout -modulus -in [domain_name].csr |openssl md5 openssl x509 -noout -modulus -in [domain_name].crt |openssl md5

How to add a secure cert to IIS on Windows

Balazs — Sun, 31 May 2009 15:30:36 +0000

To add an SSL cert to IIS 5 on Windows, you need two separate steps:

Create a p12 (pkcs12) cert file:

cat server.key server.crt > server.pem
openssl pkcs12 -export -in server.pem -out server.p12 -name "server"

Import the p12 file into IIS:

Start->Run->mmc
Ctrl+M
Add...
Certificates
Computer Account
Finish
Close
OK
Open "Certificates (Local Computer)" tree
Right click Certificates
All Tasks->Import...
Browse to .p12 cert
Next
Next
Next
Finish

Select cert for site

Open IIS Admin
Select properties of website
Select Directory Security Tab
Server Certificate...
Next
Assign existing cert
Next
Select Cert
Next
Next
Finish
Web Site tab
SSL Port 443
Apply
OK

How to remove a passphrase from an SSL cert key

Balazs — Sun, 31 May 2009 14:10:01 +0000

Here are the steps to remove a pass phrase from a cert key. This solution was originally discovered on the modssl website:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Make sure the key is readable by root only,

chmod 400 server.key

Do you need a secure certificate (SSL/HTTPS) for your site?

Domonkos — Sun, 12 Nov 2006 08:51:46 +0000

A secure certificate (aka SSL cert) allows a web site to secure the connection between the web server and the visitor. That allows protection of the users privacy and the confidentiality of the data. A secure certificate technically does the following two things:

Guarantee that the website you are looking at is truely the website you are expecting to look at (to avoid “man in the middle” attacks)
Encrypt the connection so that 3rd parties that are trying to “sniff” the data can not discover the contents

In order to begin timely processing of a secure certificate order we will need the following documentation:

Proof of Organization, which can be any of the following:

DUNS number (Dun and Bradstreet)
Articles of Incorporation or Business License
Doing Business As (DBA) registration
Sole Proprietorship documentation

Please note: Company name and addresses listed on these documents will need to match the current domain registration company name and address. You can look up your domain registration information here: http://opensrs.org/cgi-bin/whois.cgi

Please email, orders@thenewpush.com, or fax, 1-720-294-0933, the documents to us.