SSL Hell
If you’re a long time reader of this blog, you are very aware that I hate the way SSL is implemented on Domino. I mean c’mon, even the logo in the management database still has the old R5 Domino logo.
Anyway, at the day gig, we have a wildcard SSL certificate to handle multiple subdomains within our main domain. That means that each domain in the *.acme.com range uses the same SSL certificate. So X.acme.com and Y.acme.com both use the same cert. Domino handles this a little weirdly itself as you require a specific IP address for each SSL subdomain, but that’s not what I ran into this week.
What happened is that we need to use that same SSL wildcard on an IIS server. So, we simply downloaded it from our registrar and tried to install it within IIS. Problem is, it didn’t work. Searching for Google info on SSL on Domino is a little sparse, so my server admin contacted the registrar to see what they thought. They said we needed to export the certificate from Domino and then import it into IIS. For some reason, you couldn’t just install it on IIS once it was already installed previously on Domino.
So, I go to the SSL database on Domino and opened our keyring for our wildcard certificate. I looked around and couldn’t find an Export function anywhere. It doesn’t exist. In addition, Domino saves your info in a keyring file with a .KYR extension which cannot be read outside of Domino. So now I was at a loss. So once again I started googling info on this and came across this post. Kevin was exporting for use in Apache, but had come across the same problem that I just had.
He found a utility from IBM called iKeyman. This utility allows you to open a Domino .KYR file, and then export it to a PKCS12 (.P12) file. Once you do that, you can use another utility called OpenSSL to convert into whatever other formats you may need. For me, IIS was happy with just the .P12 file so we were able to use that and didn’t need to bother with OpenSSL.
So now, SSL is working on IIS and Domino. A huge thanks to Kevin for his blog post. I wanted to post as well to give a little more Google juice to SSL issues you may run into with Domino, SSL and wildcards.
August 10, 2011 @ 7:16 pm
Did you know that most registrars can produce a duplicate certificate for you? Saving you the trouble of exporting?
August 10, 2011 @ 8:07 pm
That didn’t work unfortunately. We download it and it just wouldn’t work correctly until we did an actual export. Doesn’t make any sense I know, but that’s the way it worked out.
August 11, 2011 @ 7:20 am
iKeyMan is a bit of hell in itself.
Newer verson don’t seem to know about the Domino keyrings.
The older version (5) doesn’t run on anything above XP.
Also (as I found out yesterday) the keyring & certificates to need to be on the same drive as iKeyman itself.;
I tried running iKeyman from a virtual XP box, running on my Win7 laptop system trying to access the keyring & certificates on a mapped drive (on the same Win7 laptop). The keyring opened sucessfully, but iKeyMan didn’t want to add the certificate (which was in .p12 format) until I moved everything into the virtual XP box.