22 December 2016

Creating SHA2 4096 keyfiles for Domino AND WebSphere from one Wildcard certificate

Here's my process of creating SSL/TLS key stores for both Domino and WebSphere using just one purchased Wildcard certificate. (with screen shots)
Often I come across scenarios with customers where they wish to increase the strength of the encryption used (mainly due to failing verification from browsers and impending support drop for SHA1), or they wish to purchase one Wildcard certificate that will cover all of their collaboration environment such as iNotes, Traveler, web apps, Connections & Sametime.

The process has many steps but it's relatively easy once you know how.
There have been many blogs about doing this (links below) and there's some decent doco from IBM (links below) and I've used them all - but I find that every time is a little different - maybe this scenario will match yours and will help hey?

I'll break the posts into 2 parts - cause it gets a bit long...


Things you should know first:
  • SHA-2 support for Domino started with version 9.0.1 FP3.  This will not work in any version of 8.5.x. You’ll need to upgrade your servers and Domino Admin client (as of writing we are at Domino 9.0.1 FP7 so OF COURSE you’ve already upgraded right? ;-)
  • We're going to create a certificate of 4096 key length. This may cause some issues in WebSphere and (sometimes) even Domino - more on that later....

Tools you will need:
  • OpenSSL - download this tool from the Shining Light website. You only need the Lite version. Install it under C:\OpenSSL and place the binaries under the \bin directory.
  • KYRTool - download this tool from IBM Fix Central and unpack to your Notes Program directory (don't forget to check if you have 32bit or 64bit Notes and use the appropriate kyrtool version - the download will contain both)

All set?
Here's my scenario:
  • Domino 9.0.1 FP7 web server (hosts both Traveler and iNotes)
  • Sametime 9.0.1 (System Console, Community and Proxy)
  • Connections 5.5
  • Notes 9.0.1 FP7 Installed to my Windows PC under C:\IBM\Notes
  • OpenSSL Installed to C:\OpenSSL\bin
  • Created a folder called 'client' under the \bin directory
  • KYRTool deployed to Notes Program directory

Here goes:
  1. Set the environment variable for OpenSSL
    In a command prompt - type:
    Set OpenSSL_Conf=C:\OpenSSL\bin\openssl.cfg
  2.  Use OpenSSL to create the RSA KeyPair
    In a command prompt - change to the OpenSSL\bin directory - then type:
    openssl genrsa -out client\server.key 4096

    You can use any name, filepath and key length you want for the key - just verify that the key is present in the chosen directory (I like to use a separate directory just to keep everything in the one place)

  3. Use OpenSSL to create a Certificate Signing Request (CSR)
    In a command prompt - from the OpenSSL\bin directory - type:
    openssl req -new -sha256 -key client\server.key -out client\certreq.csr

    As with the key, you can use any name, filepath and you want for the CSR - however you must match the key name as it was created in the previous step (ie - server.key)
    You need to have all the information about the certificate ready - such as the common name, an email address for verification and other information that may need to be validated by the signer.

    Note that now my CSR is in the \client directory with the key

  4. Give your CSR to the signing fairies
    If you set a challenge password (as I did above) don't forget to include it!
    If you have your own portal or self service tool to submit the request remember that you'll likely need to have a valid 'hostmaster' or 'webmaster' email address at your organisation (a lot of cert management tools force this naming convention on ya)
    Your signing authority (likely Verisign, GoDaddy GeoTrust etc) will verify your request and return the signed certificate to you in a '.crt' '.pem' or maybe even just text in an email.
  5. Use the KYRTool to create a keyring file to house the certificate to deploy to Domino
    In a command prompt - change to the C:\IBM\Notes directory - then type:
    kyrtool create -k C:\OpenSSL\bin\client\SPPower-WC-SHA2.kyr -p {password}

    Again as with the key and CSR, you can use any name, filepath and you want for the keyring, note that the password stash file (STH) is stored with the keyring file under the \client directory.
  6. Import the key, the signed certificate, all intermediate and root certificates into one text file
    Your certificate signing authority should have returned your certificate.
    If it was returned by email grab all of the text starting with -----BEGIN CERTIFICATE----- and ending in -----END CERTIFICATE----- and place into a text file under the \client directory.

    We now have the server key and the signed certificate. We now need the root and intermediate certificates.
    Sometimes the signing authority will send the certificate in a bundle along with the intermediate and root certificates. If not you will need to go to the certificate signer's website and download them.

    In a command prompt - from the OpenSSL\bin directory - type:
    type client\server.key client\SPPower-cert.txt client\intermediate.txt client\root.txt >client\allcerts.txt

    or if you have a certificate bundle simply type:
    type client\server.key client\SPPower-all-certs.txt >client\allcerts.txt

    You should now have the text file with all certificates and the private key under your \client directory.
  7. Use the KYRTool to validate your text file containing the certificate chain
    In a command prompt - change to the C:\IBM\Notes directory - then type:
    kyrtool verify C:\OpenSSL\bin\client\allcerts.txt
  8. Import the allcerts.txt containing all certificates into your keyring file
    In a command prompt - from the C:\IBM\Notes directory - type:
    kyrtool import all -k C:\OpenSSL\bin\client\keyring.kyr -i C:\OpenSSL\bin\client\allcerts.txt

  9. Copy keyring file and stash fie to your Domino data directory on your Web server
    Now go forth and whack it in your Domino data directory on your web server
  10. Replace the keyring file name in the web site configuration
  11. Restart HTTP task and you're done!
    You now have your Domino web apps running under your new certificate!

Depending on your web apps, and other connecting services you may have to enable and disable certain ciphers.
Read more about Cipher configuration here

Stay tuned for next post -- Deploying your Wildcard certificate to WebSphere for Sametime & Connections


Post a Comment