Random thoughts from an unusual company

Moving an IIS SSL certificate to a Domino Keyring File

Gabriella Davis  11 February 2009 23:25:53
Today I had a support call from a customer who had bought an SSL certificate from Verisign to cover their entire domain.  Verisign had issued the certificate and it had been applied to their existing IIS servers however they now wanted to use it on their Domino web server as well. The scope of the certifier covered the Domino server (same wildcard domain) but Verisign wouldn't process another request from a Domino keyring file as they had already issued the key in response to the IIS request.  They agreed to cancel the IIS certificate and issue a new one for Domino but according to their tech support

"the use of the wildcard domain covers you for up to 10 servers so long as you can copy the same certificate between the servers.  As Domino and IIS are incompatible you have to buy a new certificate"

Well that seemed like a gyp so I decided to prove it could be done.  With the help of some related IBM technotes this is what I did to get it working.  
  1. Created an exported pfx file from IIS
  2. Went to a domino server and from a prompt found the directory  \domino\jvm\bin directory and ran the file "ikeyman" within it
  3. Created a new Key DB file by browsing to the IIS exported pfx file and importing it as PKCS
  4. Examined the imported certificate and noted the certificate settings such as Organisation, OU, L etc
  5. Closed ikeyman
  6. Created a new key ring file using the Secure Certificate Admin db on Domino
  7. Gave it the exact same settings as the original IIS certificate noted down in step 4.
  8. Installed the trusted root certificate into the key ring file
  9. Copied the .kyr and .sth files to the server where ikeyman ran and where the PKCS file generated in step 3 was located
  10. Downloaded gsk version of ikeyman to handle Domino key ring files from here ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip
  11. Extracted zip file to folder 'gsk' on server (folder can be called anything but no spaces)
  12. Ran "gskregmod.bat Add" from command prompt within extracted folder
  13. Launched the ikeyman from dos prompt in the newly extracted folder by typing "runikeyman.bat"
  14. Chose Key Database File - Open and selected the kyr file I copied to the server in step 9
  15. Go to Personal Certificates and click 'Import' then choose 'PKCS' and import the file generated in step 3

You should now have a .kyr file that contains the certificate and can be copied back to your destination Domino server along with its .sth file.
Comments

1Craig Wiseman  11/02/2009 23:53:17  Moving an IIS SSL certificate to a Domino Keyring File

Nice work, and nice sharing!

You are hereby awared the SSL Geek Beenie for the week. Wear it with pride!

2Rob McDonagh  12/02/2009 00:32:56  Moving an IIS SSL certificate to a Domino Keyring File

Ooh. You're good. You're very good.

3Julian Robichaux  12/02/2009 02:28:46  Moving an IIS SSL certificate to a Domino Keyring File

Wow. Just... wow.

4Mark  12/02/2009 09:11:21  Moving an IIS SSL certificate to a Domino Keyring File

Oooo you just saved me a world of hurt

5Dan Silva  13/02/2009 12:28:26  Moving an IIS SSL certificate to a Domino Keyring File

Gabi,

thanks for sharing this indeed! Care to link the IBM Technotes you used too?

Thanks again, very nice work!

-Dan

6Sjaak Ursinus  13/02/2009 14:35:24  Moving an IIS SSL certificate to a Domino Keyring File

Gabriel,

Thanx for shraing this. I have already been in this postion in the past and was not being aware of the ikeyman specially for domino which handles key ring files.

Thnx for sharing I know for sure I will be confronted to the same situation again and then I knwo how to handle that !!

Especially for * certificates this is great now you can use one certificate for more platforms as well.

7Urs Meli  02/03/2009 16:24:57  Moving an IIS SSL certificate to a Domino Keyring File

That's absolutely faboulus. This will save me lots of time.

Thank you!!!

8Jomon Abraham  16/04/2009 19:13:43  Moving an IIS SSL certificate to a Domino Keyring File

Gabriella,

We also had the same issue and now

We have two wildcard licenses - one for IIS and one for Domino. I am taking care of the SSL Setup for the IIS servers. We don't have a Domino Admin and I was asked to take care of the SSL set up for Domino also. I know a little about Lotus Notes/Domino. Our 2 ssl wildcard licenses are expiring in July and I want to make them one and save some money and issues we had earlier.

I am following your steps. I have the exported pfx file from IIS. I am kind of stuck at step 3. Could you please explain that more?

Regards,

Jomon

9Philip  08/06/2009 18:04:28  Moving an IIS SSL certificate to a Domino Keyring File

I have a question as I am attempting to perform the same procedure. When creating the new Key Database in step 3, what Key Database Type did you select? I've tried to import the PFX file into both, a PKCS12 and PKCS12S2 database file without any success.

10Phil Rigby  10/06/2009 19:31:14  Moving an IIS SSL certificate to a Domino Keyring File

I'm have the same issue as #9 - I can't successfully import the IIS pfx. Can you go into more specifics please?

11Gab Davis  11/06/2009 13:12:42  Moving an IIS SSL certificate to a Domino Keyring File

@8 @9 are you using the ikeyman found in the Domino Directory as opposed to any other? It imported fine at PKCS for me - what happens to you?

12Phil Rigby  11/06/2009 14:25:34  Moving an IIS SSL certificate to a Domino Keyring File

Gab, I'm using the one thats \lotus\domino\jvm\bin\ikeyman.

The app opens, go Key Database File menu, select Open, select Key database type = PKCS12, Browse to file. Hit OK, it asks for the cert file password, enter that, then get a message saying "The specified database has been corrupted".

I have a PMR open with IBM about this task, if I get an update I'll post it here.

13Philip  11/06/2009 19:54:12  Moving an IIS SSL certificate to a Domino Keyring File

I'm having the same issue as #12 and am using the same location of ikeyman.

It is Lotus Domino version 8.0.2.

Any ideas?

14Phil Rigby  12/06/2009 13:37:20  Moving an IIS SSL certificate to a Domino Keyring File

Ok, IBM managed to take care of business for me. This is what they said:-

"To import the certificate I had to get a specific version of IBM HTTP server software and use the ikeyman utility from it. 1.3.19.5 HTTP server. You don't need to run the HTTP server, just access the ikeyman utility.

https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=htt&lang=en_US&S_PKG=wnt13195gv&cp=UTF-8

1. Create a new key file

2. Switch to Personal Certificates in the narrow drop down.

3. Import the certificate, leave the choice of file type as pkc, but browse to the location of the signed pfx certificate and type in the name of the file.

4. Open the key file with a Server Certificate Admin database and change the password to create a needed .sth file. Use the .kyr and the .sth which has been created.

The new .kyr and .sth files should work. I tested the wild card certificate in the keyfile and was able to connect to a test server over SSL with no problem. I modified the host file to allow me to access https://babaloo.mycompany.com and this worked fine."

I've noticed that the link doesn't work and I've asked for it to be validated. If they supply me with a new link, I'll post it here.

Hopefully this will help out (the other) Phil and anyone else having issues... IBM actually created the new files for me and they do work, I now have a wildcard cert that will be valid for any SSL site, whatever.mycompany.com ...

15Phil Rigby  12/06/2009 14:23:32  Moving an IIS SSL certificate to a Domino Keyring File

Updated download info:-

Go to { Link } and on the right click Download other releases.

You will need to register, it's relatively quick.

Select the version as highlighted earlier... download et voila.

16Gabriella Davis  12/06/2009 15:08:51  Moving an IIS SSL certificate to a Domino Keyring File

Thanks for the link Phil. That will prove invaluable to those trying from scratch.

17Mark  08/09/2009 07:36:00  Moving an IIS SSL certificate to a Domino Keyring File

I used the step by step instructions from this page:

{ Link }

(how to install a wildcard certifcate into a Lotus Domino keyring)

18Daniel  19/09/2009 14:27:30  Moving an IIS SSL certificate to a Domino Keyring File

Thx @ #14 Phil Rigby.

I had the same problems as #10-11 and many others with the error while trying to use the iKeyMan installed on the server.

The KEY is to get the specific version of IBM HTTP server 1.3.19.5.

I followed Phils link at post #15 and downloaded and installed that version.

then just looked after the gsk5km (IBM Global Security Toolkit).

My total process (after loads of trial and error)

1. Create Key Ring in the Server Certificate Admin database.

2. Download the Trusted Root certificate from my Certifier (in my case Comodo)

3. Install Trusted Root Certificate into Key ring on certsrv.nsf) using the cert downloaded in step #2 (this is to add it as a trusted root)

4. Download and install the IBM HTTP server 1.3.19.5. (installed it in a VM)

5. Copy over the keyfile.kyr and keyfile.sth files to the location of the IBM Global Security Toolkit.

6. Start the gsk5km program (C:\Program Files\ibm\gsk5\bin if you installed it at default location)

7. Open up the keyfile.kyr file.

8. Select Personal keys (or personal certificates, the program isn't in english for me) from the little switch.

9. Select Import and select the type as PKCS12 and type the name of the *.pfx file, then press OK and enter the password

This did it for me.

The key was the "old" IBM Global Security Toolkit program.

19Jeroen Meijer  09/04/2010 23:41:10  Moving an IIS SSL certificate to a Domino Keyring File

I managed to even make it a tad simpler (thanks Gabriella, Daniel and Phil!), which worked for a GoDaddy wildcard.

1) Download and install the IBM HTTP server 1.3.19.5. As Daniel wrote, do it in a VM, as it wants to install a complete HTTP server/service. Note: anyone who knows how to do a clean install of gsk5km one, pls explain! (Daniel's step 4)

2) Create a new key-database by clicking the leftmost icon. Ensure the type is set to Keyring. Give it a TEMPORARY password. Note that quite a few Trusted Roots are already created.

3) Choose "Personal cerificates" and import the wildcard (Daniel's step 8 and 9). Note that the default .p12 extension is not what is needed, at least not in my case where the wildcard was a .pfx file.

4) Open the Server Certificate Admin database and open the the just created keyring (.kyr) file using the "View/Edit" option in the lefthand navigator". You will have to enter the password as created in step 2.

5) Change the password (2nd button in the button bar) to the final password. This will create the corresponding stash (.sth) file Domino needs to be able to use the keyring.

That's it! I assume it only works when the Trusted Root is already in the keyring, which was the case for the .pfx file I got from GoDaddy.

Jeroen

20Daniel  09/11/2010 15:05:44  Moving an IIS SSL certificate to a Domino Keyring File

Thanks Jeroen!

I had to redo this one more time and found some troubles.

This time our wildcard certificate was issued with another issuer and the Certification Path was totally different.

I reccomend before you start wiht Jeroen's process to:

1. Import the .pfx file into your windows OS.

2. Start the Certificate manager (certmgr.msc)

3. Locate your personal certificate (under personal) and double-click it.

4. Select the Certification Path Tab and check how it is issued.

For me this time I had a "root" and an Intermediate issuer that I had to find the certificates for and Import into the new keyfile.kyr (in order, root first ofc)

It took some time (google I love you) and some trial and error before I got the right ones.

If you dont have the correct ones or import them in the wrong order you will get an error. As long as you dont get errors your golden.

/Danne

21Marco  23/01/2012 09:14:38  Moving an IIS SSL certificate to a Domino Keyring File

a lillte confused about...

tryed any process without success :-(

The Gabriella's work until the step 14:

14) open the kyr from the domino server: ok

15a) select personal certificates: ok

15b) import

15c) key type PKCS12 and select the p12 file created in step 3 ERROR!!

"si è verificato un errore durante l'importazione di chiavi da un file di formato PKCS12"

(translate to english)

"An error occurred when importing keys from a PKCS12 format file"

This is how i did step 3 after i run ikeiman.exe from domino\jvm\bin

1)file database -> new

2) database type, selected PKCS12

3) input new filename

4) select directory where my pfx is located

5) input a password

6) click on "import"

7) key file type, selected PKCS12

8) input pfx file name and folder

9) click ok and input pfx password

10) ikeiman ask if i want to modify some label, click OK

now i can see the certificate settings...

shure i misunderstanding some step, but after houndred of trying i can't resolve this question!!

please some hints!!

Marco

22Pascal  22/02/2012 13:05:41  Moving an IIS SSL certificate to a Domino Keyring File

Remove the root certificates from your PKCS12 for example by importing your PKCS12 into Internet Explorer and exporting it without selecting the whole certificate path.

It worked for me.

Thanks all!

Pascal

23Rushi Mandani  18/04/2012 14:39:54  Moving an IIS SSL certificate to a Domino Keyring File

Hey, I have .kdb extension file & .pem extension files from webserver for wildcard ssl.

have some more 3-4 files but don't have .pfx file.

can anyone let me know overall process for exporting it to domino 8.5.3 release ?

24John Rasmussen  20/09/2012 18:03:02  Moving an IIS SSL certificate to a Domino Keyring File

The process works wonderfully Gabriella thank you!

Important Note though: the gsk5ikm version available from the IBM ftp site would not run on Windows7 or even Windows Server2003. It only worked when I installed it on an older XP machine.

25Jeroen Meijer  08/10/2012 22:51:07  Moving an IIS SSL certificate to a Domino Keyring File

To expand on this a bit further. There is absolutely no way to get this to work with Domino 8.5.3. and SHA-2 (256) certificates. The certificate database, nor iKeygen supports it. It is a shame really, as the modern (and especially governmental issued certificates) can simply not be used in Domino.

SHA-1 (After MD5) was fixed in R7. But when I write this, SHA-3 has just been NIST approved, Sigh.

https://plus.google.com/u/0/103762327575413926840/posts/ULBTmr19EZS

26Michal  10/10/2012 09:00:02  Moving an IIS SSL certificate to a Domino Keyring File

Wait for next releas of Domino (8.5.4). In previous versions, SHA-2 is not supported. In 8.5.4, the problem is solved by implementing HTTP websphere server in front of Domino server.

27Paul Bastide  09/01/2013 14:48:18  Moving an IIS SSL certificate to a Domino Keyring File

I had this work when I used XP and the ikeyman. win7/linux were not working for me. thank you Paul

28Ev Jordan  11/03/2013 21:05:03  Moving an IIS SSL certificate to a Domino Keyring File

I am missing something. I do not see how to tie the JCS and KYR files togther. Step 14 suggests I open the KYR file an I can not. ikeyman will not recognize the file and the runikeyman.bat file doesn't do anything.

I know this is an old thread,but I hoe someone can shine some light this direction. Thanks

29jeroen keet  15/04/2013 15:10:14  Moving an IIS SSL certificate to a Domino Keyring File

@28 I have the same issue. Reading the .bat file it seems you need to do a IBM HTTP server installation on the Domino server. Can anyone confirm this?

30tixo  26/05/2013 08:57:47  Moving an IIS SSL certificate to a Domino Keyring File

Great work and great discusion!

Just to make it clear, is it in any way in any version of Domino (8.53,R9) possible to inport root certificate with SHA256 signature?

Tried with default template and procedures and gad no luck. iKeyMan looks like something to check if I understand correctly.

Thanks again for this discussion ;)

31Lars Olufsen  16/08/2013 16:50:57  Moving an IIS SSL certificate to a Domino Keyring File

Tixo - in R9 SHA256 is supported

32ken  19/09/2013 19:12:14  Doesn’t seem to work w/ R9

Tried a few of the different techniques mentioned on this post/comments w/o luck.

Does this even work w/ R9 any more? :-P

33Nils Deusch  08/11/2013 06:33:55  Moving an IIS SSL certificate to a Domino Keyring File

Hello,

i got a Wildcard certificate from godaddy and tried to Import the chain and the certificate into my keyring without success. I followed all the different technics that i found in deifferent Blogs or Forums using gsk5 ikeyman in different procedures but nothing worked. The first point that does not work is to Import the root certificate into the keyring. Our Wildcard certificate is sigend with a root certificate with a Name that ends with the 'G2'. The other 'normal' or 'old' root certificate that is available in the godaddy's repository could be Import without any Problem. Why does this happen? What is the difference between thesse two root certificates? An at the end any advice what i could do?

Thanks in advance, Nils

34Paul Ryan  20/11/2013 14:36:46  Moving an IIS SSL certificate to a Domino Keyring File

Hi All (and especially Gab ;)!

This is clearly a key thread now on this nettlesome topic, and I am doing something of a "state of things" write-up on it for my employer. In that I am not doing any actual testing as yet, though. Rather just piecing together the puzzle. A few loose threads remain, but one in particular I could tie off easily right here if one of you knows the answer...

Two specific KeyMan (ikeyman) tools is mentioned as particularly important in the post and comments, the "gsk5" version that can be downloaded from the IBM FTP site, and the one that comes with the IBM HTTP Server 1.3.19.5. My question is whether these are the same KeyMan tool (i.e. the same special version that fully supports the edition of KYR files)? Hopefully they are the same version, as that would simplify things...

Cheers, Paul

35Paul Ryan  20/11/2013 14:36:46  Moving an IIS SSL certificate to a Domino Keyring File

Hi All (and especially Gab ;)!

This is clearly a key thread now on this nettlesome topic, and I am doing something of a "state of things" write-up on it for my employer. In that I am not doing any actual testing as yet, though. Rather just piecing together the puzzle. A few loose threads remain, but one in particular I could tie off easily right here if one of you knows the answer...

Two specific KeyMan (ikeyman) tools is mentioned as particularly important in the post and comments, the "gsk5" version that can be downloaded from the IBM FTP site, and the one that comes with the IBM HTTP Server 1.3.19.5. My question is whether these are the same KeyMan tool (i.e. the same special version that fully supports the edition of KYR files)? Hopefully they are the same version, as that would simplify things...

Cheers, Paul

36Richard Dew  05/12/2013 12:30:06  Moving an IIS SSL certificate to a Domino Keyring File

Hi,

Does any one know if this works for a Cert that has been implemented into WebSphere? So I have a WebSphere server that has a WildCard cert added to it but I now need to get this into one of my Domino servers.

I have tried to follow but I think the issue is the export of the cert from WebSphere to start with rather than the import into the Domino Key.

Any help is much appreciated as I cant find any tech notes on doing this from WebSphere

37Richard Dew  11/12/2013 10:33:35  Moving an IIS SSL certificate to a Domino Keyring File

I have now managed to complete this it has to be completed the other way round you complete the cert in Domino then extract it using the iKeyMan utility once you have done this it can be imported into WebSphere.

38Nelly Gaudin  08/01/2014 13:35:35  Moving an IIS SSL certificate to a Domino Keyring File

Regarding #24, I was faced with the same issue...

I managed to get it running on Windows 2003 by replacing the content of the JRE dir with a JRE 1.1.8 which I downloaded from here: { Link }

That does not work on 64bit systems though.

39Mats Ekman  16/01/2014 16:20:13  Moving an IIS SSL certificate to a Domino Keyring File

I did some documentation and a checklist on how to do this at my company blog.

Maybe that could help you out, here is the link:

{ Link }

Regards

Mats

40Andrew Gr  20/03/2014 11:25:41  Moving an IIS SSL certificate to a Domino Keyring File

Hi all, I had very similar challenge to import existing certificate & private key files (raw text in two files):

---BEGIN CERTIFICATE---

xxxxxxxx

---END CERTIFICATE---

-----BEGIN RSA PRIVATE KEY-----

xxxxxxxx

-----END RSA PRIVATE KEY-----

As I didn’t find better place to share my experience, so I would like to keep it with this topic, as challenges very similar.

So, to make it works, I made the following steps:

1) with help of openssl utility (under Linux) I prepared p12 file based on existing text files. Command looklike:

openssl pkcs12 -export -inkey cert.key -in cert.crt -out cert.p12 -name “KeyPair”

where: cert.key – file with private key (BEGIN RSA PRIVATE KEY), cert.crt – file with cert (BEGIN CERTIFICATE), KeyPair – label for the output key (Domino prefers such label, but not sure, if it crucial).

2) with help of ikeyman (from gsk5) I did import the p12 key into keyfile.kyr (Domino’s one) in Personal keys part. But here I met with hang-up issues of ikeyman. ikeyman just hang-up during import. I killed process, and repeat import (without deleting the temporary generated by ikeyman files). Usually it worked out on the second try. )

3) Domino’s kyr-file you usually get with existing cert request (and private key). I did delete it with help of ikeman.

4) and that’s all, these manipulations make able Domino to use cert from kyr-file for HTTPS-conncetions.

All manipulations were made on Win XP (virtual one).

Domino version is 9.0.1 x64 on Win 2008 sp1 r2 Std.

41Andres Giuffre  25/03/2014 18:10:01  Moving an IIS SSL certificate to a Domino Keyring File

Thank you very much, Mats!

I also had problems using the iKeyman, but followed your steps and now my certificate is working perfectly fine!.

And thank you Gabriella, of course. Last year I'd install a certificate using this post with absolute success, but now I couldn't do it with a new cert. iKeyman was driving me mad.

42Matt Seeberger  22/04/2014 19:49:28  Moving an IIS SSL certificate to a Domino Keyring File

Gab,

The ways in which you continue to help me are astounding! Thanks for putting this together. Our SSL Cert had expired and I was against a very tight deadline with a cert generated from IIS. I needed to inject it into the Domino keystore and this guide helped me do just that. The only issue I ran into was that I had to run the tool from a Windows XP machine because Windows 7 would not launch the tool, although I could have done something similar to Andrew.

Thanks again for this great guide!!

43Mats Ekman  21/10/2014 21:01:38  Moving an IIS SSL certificate to a Domino Keyring File (including SHA2)

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.

{ Link }

TLS is NOT SOLVED by this only SHA-2.

Regards

Mats

44KD 7 Shoes  28/12/2015 20:09:00  KD 7 Shoes

Oakley Sunglasses,Oakley Vault, { Link }

Ugg Boots,Ugg Outlet, { Link }