Monday, September 15, 2008

SSL and Quickr Using Network Solutions

Edit Update 7:30PM 9/15/2008:
IBM Support replied to my questions and I wanted to share it with you.

"You're correct in that the order of installation of the certificates is important and can be confusing if (a) the CA uses multiple trusted root certificates and (b) the CA does not document well which order the certificates need to be installed.

Regarding your blog entry on Domino's selection of which CA's trusted root certificates are included, I spoke with our L3 team about this issue. They stated that they regularly check which CA's are the most popular ones among both our customers and the public in general and use this information when deciding upon which CA's trusted root certificates will be automatically included with Domino. As you know, Network Solutions' trusted root certificates are not currently included in the creation of new SSL keyring files in Domino. Because of this, I have created SPR TJOR7JHSQL to request that its trusted root certificates be included in future releases of Domino as an enhancement."

Thanks team IBM and Lotus Support for helping on this and saving me one less headache, hopefully in R8.5 and beyond.
==========

What would normally be a simple SSL set up turned into a couple of hours of pain, for me, the client is happy of course.

I will not rewrite the help docs on how to setup SSL, but the problem stems from using a vendor not listed in the certsrv.nsf file.

Why, after all these years, hasn't Lotus included some more main stream vendors I can't tell you, but they have quite a few listed, evidently Network Solutions (NS) just doesn't come up much.

Requested the certs from NS and then the problem started. Never seen 4 certificates returned. 1 is the domain, easy enough. The other 3? Who knows what order or if they are all needed.

Bottom line is phone support from NS resolved it, online documentation was not very good which is why this post is out there. I could save it for SnTT but no, I want to help people sooner, rather than later with this one.

The proper order to install the certs is:
AddTrustExternalCARoot.crt
UTNAddTrustServer_CA.crt
NetworkSolutions_CA.crt
yourdomain.com.crt

Name the first 3 as you add them, individually, Network Solutions #1,#2 and #3.
The Domain gets added as the last one in Step 4 of the certsrv file.

Reload HTTP and it should be fine. If you have already set everything up according to the documentation.

And lest I forget, contrary to what you think, you must select anonymous under the SSL to enable the ability to see the Quickr logo files found in the /qphtml/html/login directory on the Login page.

Think you have a secue server, Anonymous is set to Yes