Detail Instructions for SSL Install/Setup on Domino 5.x and Higher

Mindwatering Incorporated

Author: Tripp W Black

Created: 04/16/2009 at 04:09 PM

 

Category:
Domino Upgrades / Installations
Software (Re)Configuration

Objective:
Install SSL on Domino Internet services (HTTP, SMTP, LDAP, IMAP, POP, etc.)
Domino CA w/client X.509 Certificates is not desired/wanted as part of this project.

We are doing this the "old way".

Tasks:

1. Create a Lotus Database to manage the key ring file(s) you are going to create.
Template: Server Certificate Admin - csvr50.ntf
File Name: csrv50.nsf (can be whatever you want)

2. After creating ACL, put the management groups as Manager in the Application/Database ACL.
(e.g. LocalDomainAdmins & LocalDomainServers)

3. Create a new key ring in the new certificate database.
  • Open the application. Close the About page if presented.

4. Create the key ring and perform the request, install the resultant certificates from the Certificate Authority (CA).
  • Click the “Create Key Rings & Certificates” option in the menu on the left.
  • Click the “1. Create Key Ring” option on right.
    • In the new key ring document:
      • Under Key Ring Information:
        • Name the key ring. (Something like joshua for joshua.kyr)
        • Enter the password for keyring and confirm it again.
      • Under Key Size:
        • Change key size to 2048. (Updated 2008.)
      • Under Distinguished Name:
        • Enter the Common Name of the server. e.g. joshua or joshua.mindwatering.com
        • Enter the Organization. e.g. Mindwatering
        • Enter the OU if applicable.
        • Enter the City. e.g. Wake Forest
        • Enter the State spelled out. e.g. North Carolina
        • Enter the Country code. e.g. US
      • Click the "Create Key Ring" button.
      • Set the location of the key file.
Note: The key ring files are in your data folder. (e.g. c:\lotus\notes\data\...) Make sure you back them up when you are done creating the SSL keys.
  • Click the "View & Edit Key Rings" in the menu on the left.
    • Confirm the new key ring (e.g. keypair or joshua) is displayed.
    • If the key ring you just created is no displayed, then click the "Select Key Ring to Display" button. Enter the FULL PATH to the new key ring. Click "OK" and enter the password when prompted to load the key ring.
  • Click the “Create Key Rings & Certificates” option again.
  • Click the “2. Create Certificate Request” option.
    • Under Key Ring Information:
      • Enter the Key Ring File Name.
        Note: You may have to put in the full path, try just the name of the file first.
    • Under the Certificate Request Information:
      • Leave Log Certificate Request to “Yes”.
      • Leave Method “Paste into form on CA’s site”.
    • Click the “Create Certificate Request” button.
    • In the dialog:
      • Copy the ENTIRE contents of the certificate request including the beginning and ending lines.
      • Paste the request into the CA web site, or save into a text file to send to the Certificate Authority (CA).
      • Close the request dialog.
  • Import the root certificate (CA .CER file):
    Note:This file is generally received from the CA with the new web site certificate. (You may actually receive more than one. There is often an OU.)
  • Click “Create Key Rings & Certificates” link again.
  • Click “3. Install Trusted Root Certificate into Key Ring” option.
    Note: If you get “Invalid / non-existing document” error, you are using the regular Notes client or you didn’t load your key ring successfully. Close the database and re-open it in the Administrator client.
    • In the dialog:
      • Under Key Ring Information:
        • Enter the full path to the key ring file.
          Note: Generally just the key ring name doesn’t work.
      • Under the Certificate Information
        • Enter the Certificate Label, which is the common name of the CA root certifier.
        • Switch the Certificate Source to “File”.
        • In the File Name field, paste the full path of the root certifier file.
        • In the File Format field, leave “Base 64 encoding” selected.
      • Click the “Merge Trusted Root Certificate into Key Ring” button.
      • Enter the key ring password when prompted.

Notes:
Once added, the certificate can be confirmed by reloading the key ring file via“Select Key Ring to Display” button.
Repeat the "3. Install Trusted Root Certificate into Key Ring" steps for each intermediary OU if you have them.

  • Import the server certificate (e.g. joshua.mindwatering.com):
  • Click “Create Key Rings & Certificates” menu link again.
  • Click “4. Install Certificate into Key Ring” option.
    Note: If you get “Invalid / non-existing document” error, you are using the regular Notes client or you didn’t load your key ring successfully. Close the database and re-open it in the Administrator client.
    • In the dialog:
      • Under Key Ring Information:
        • Enter the full path to the key ring file.
          Note: Generally just the key ring name doesn’t work.
      • Under the Certificate Information
        • Leave Certificate Source set to “Clipboard”.
        • In the Certificate from Clipboard field, paste the certificate including the beginning and ending lines.
      • Click the “Merge Certificate into Key Ring” button.
      • Enter the key ring password when prompted.

Notes:
Backup the key ring files. You have just completed the SSL request and import task.

5. Copy the SSL key files to the server.
  • Locate the key ring SSL files. They have two extensions: .kyr and .sth. One is the key and the other is a special hash file.
  • Back these up.
  • Copy them to the Server's data folder. (e.g. /local/notesdata or \lotus\domino\data).

6. Update the server configuration document(s) to activate the new SSL key.
  • Open up the Server document of the server hosting the web site (or other Internet protocol to be encrypted).
  • Click the "Edit Server" button.
  • Click the Ports --> Internet Ports tabs.
    • Under the SSL Settings:
      • Under the Web tab:
        • Enable the SSL port. For the TCP/IP port status (under port 80), change to Redirect to SSL from Enabled to redirect all web traffic to be forced to SSL.
      • Under the Directory tab (contains LDAP):
        • Enable the SSL port as desired. Redirect to SSL as desired.
      • Under the MAIL tab (which contains STMP, POP, and IMAP)
        • Enable the SSL ports applicable. Redirect to SSL as desired.
        • Note: SMTP has separate settings for incoming and outgoing.
    • If NOT using Internet Site documents:
      • Still on Ports --> Internet Ports tabs
        • For the SSL key file name field, confirm/change the key file name. (e.g. joshua.kyr)
      • Click Web tab:
      • Under SSL Security:
        • Remove (uncheck) the RC4 encryption with 40-bit key and MD5 MAC option.
  • Click the Internet Protocols --> Domino Web Engine tabs.
      • Under Generating References:
    • Change the Protocol field to “https” from http.
    • Change the Host name field to the FQDN that matches the SSL key.
    • Change the port number field to 443.
  • Click the "Save and Close" button.

If you use Internet Site documents:
  • Location the Internet site document(s) for the domain name/SSL certificate. (e.g. a Web Site document.)
  • Open the Internet Site document.
  • Click the "Edit Web Site" button (if a web site document).
  • Click the Domino Web Engine tab.
    • Under HTTP Sessions:
      • Change Force Login on SSL field to "Yes" if desired.
  • Click the Security tab.
    • Under SSL Options:
      • For the key file name field, confirm/change the key file name. (e.g. joshua.kyr)
    • Under SSL Security:
      • Remove (uncheck) the RC4 encryption with 40-bit key and MD5 MAC option.
  • Click the "Save and Close" button.

7. Restart the HTTP task.
  • Open the server console (Configuration --> Server tab in the Administration Client).
  • Issue the following commands:
    • Restart task http - restarts task to update configuration.
    • Tell http sh security - verifies that SSL is ready. Will probably say not loaded since no one has requested a SSL page yet.

8. Open a web page.
  • Load a web page within a browser to test the new configuration.
    Note: A good option is the Domino Directory. e.g. http://joshua.mindwatering.com/names.nsf
  • Confirm the browser SSL lock is displayed.
  • If you get a dialog with an issue. See which issue(s) you have:
    • Not Trusted - Did you self certify? If so then ignore this or push the CA down via policy.
    • Wrong server address. - Did you type the correct domain name in. The name typed in the URL must match the name(s) of the certificate.
    • Expired or not yet valid - Did you forget to copy the files. Are the certificates valid?


previous page