Thursday, May 25, 2017

SnTT - WildCard SSL Certs and Domino....needs 32bit Windows?

This post is for me, and you, to make life easy. 

Some of you out there are only now adding SSL certificates to your servers, I know because you are asking me to help you, and so I present today's Show n Tell Tuesday post.

There are some excellent SSL and Domino posts on this topic already from Gab Davis, Mats Ekman, and Sean Cull, IBM documentation is a bit lacking in this use case so I will not point you to it.
EDIT : Jared Roberts, also a fellow IBM Champion, wrote an excellent post on the wildcard and you should go use his, it is found here. (My blog post was written over a few months so I had missed Jared's post)

I used Gab's post a few times over the last few months and always in a situation where the customer had a stand-alone (individual server) SSL certificate and you can't mess it up, well you could typo the syntax, but her post is the easiest way to get this accomplished. Thank you, Gab!

However, a Wildcard SSL certificate is a little different and this is when I found Mat and Sean's post very helpful and I am taking from them to add my 2 cents.

Along the way of following their posts, I found that the IBM required tool only runs on a 32 bit Windows environment. Let's just say were it not for my TV PC, I would have to create a VM just to run this tool. 

You have been warned.

Everything else runs on 64 bit and you will need your Domino server and your Admin Client accessible. 
EDIT from Chuck's Comment below: You should be using at least a 9.0.1FP6 Notes client, not necessarily an Admin client but you may find it easier to do so.

This is how we include a wildcard 4096 bit cert issued from a registrar with a .PFX and .CSR file into Domino. (Always make sure to get the password used for the key, you WILL need it.)

What do you do with a .PFX file? You convert it into a .PEM file using OpenSSL.
EDITED FEB 9, 2022 after prior update of Nov 30, 2017 NOTE: If you have a .pfx file, an IBM HCL technote makes this much easier than the steps below. but I will leave it all for those who want to know more. Thanks Ted H. for the link.

What? Why? Never mind that now, but the steps to do the magic are below:

1) Download the OpenSSL software (taken from Mat's post)
Easy precompiled:
The one Mat used:
NOTE: These are direct links, so if it doesn't work, go to for 32 and 64 bit.

2) Download the KYRTool (again taken from Mat's Post)
Fixcentral short:
Fixcentral long:

3) Install the OpenSSL into its own directory (include the binaries)

4) Go to C:\OpenSSL-Win64\bin\openssl then run the openssl to get the command window you need so you can type in. (This took me a while to figure out, you are welcome):

5) this is all one line pkcs12 -in C:\location of mypfxfiles\wildcard_company_com.pfx -out  c:\somelocation\wildcard_cmpany_com.pem -nodes -chain

Remember, Domino requires both the .KYR file and the .STH files to be placed inside the \Domino\data directory.

As always have fun, ask for help when you need it and don't give up, as you can see, many of us have been in your shoes before.

No comments:

Post a Comment