SSL Hell

If you’re a long time reader of this blog, you are very aware that I hate the way SSL is implemented on Domino. I mean c’mon, even the logo in the management database still has the old R5 Domino logo.

Anyway, at the day gig, we have a wildcard SSL certificate to handle multiple subdomains within our main domain. That means that each domain in the * range uses the same SSL certificate. So and both use the same cert. Domino handles this a little weirdly itself as you require a specific IP address for each SSL subdomain, but that’s not what I ran into this week.

What happened is that we need to use that same SSL wildcard on an IIS server. So, we simply downloaded it from our registrar and tried to install it within IIS. Problem is, it didn’t work. Searching for Google info on SSL on Domino is a little sparse, so my server admin contacted the registrar to see what they thought. They said we needed to export the certificate from Domino and then import it into IIS. For some reason, you couldn’t just install it on IIS once it was already installed previously on Domino.

So, I go to the SSL database on Domino and opened our keyring for our wildcard certificate. I looked around and couldn’t find an Export function anywhere. It doesn’t exist. In addition, Domino saves your info in a keyring file with a .KYR extension which cannot be read outside of Domino. So now I was at a loss. So once again I started googling info on this and came across this post. Kevin was exporting for use in Apache, but had come across the same problem that I just had.

He found a utility from IBM called iKeyman. This utility allows you to open a Domino .KYR file, and then export it to a PKCS12 (.P12) file. Once you do that, you can use another utility called OpenSSL to convert into whatever other formats you may need. For me, IIS was happy with just the .P12 file so we were able to use that and didn’t need to bother with OpenSSL.

So now, SSL is working on IIS and Domino. A huge thanks to Kevin for his blog post. I wanted to post as well to give a little more Google juice to SSL issues you may run into with Domino, SSL and wildcards.