02.08.2012

Creating Self-Certified SSL Certificates Valid Longer Than One Year

>>Author:  Thomas Bahn
>>Ort:     Kiel (Schwentinental)

URL: http://www.assono.de/blog/d6plinks/Creating-Self-Certified-SSL-Certificates-Valid-Longer-Than-One-Year

Category: Administration, Lotus Domino, Lotus Notes Traveler

Creating SSL certificates for Domino Web servers is easy, especially for self-certified certificates:

Create a database from the "StdNotes50SSLAdmin" template (certsrv.ntf),
open it,
click on "Create Key Ring with Self-Certified Certificate",
fill out the form,
copy the created files to the Domino server and
finally update the server document to point to your files.

That's it. Self-certified SSL certificates are cheap (no costs beside your time), but cannot be verified using the known and trusted root certificates of companies like Verisign.

Therefore, this kind of SSL certificates is most often used for internal Web servers only, but with Lotus Notes Traveler, these certificates have seen a renaissance.

But, there is one problem: These certificates are valid for only one year from the date of their creation with no configuration or option to change this, nor a way to extend validity for existing ones.
This means that if you use a self-certified SSL certificate for your Lotus Notes Traveler server, you have to replace it year after year and each Traveler user gets a warning every time.

But as (nearly) always with Lotus Notes and Domino, there is a way to accomplish this task...

When you look at the code behind the "Create Key Ring with Self-Certified Certificate" button in the "CertAdminCreateKeyringWithSelfCert" form, you'll find that the critical piece of code is hidden in a C function called ProcessSecurityCmd in the dmsecadm.dll:

"CertAdminCreateKeyringWithSelfCert" form with button

Declare Function ProcessSecurityCmd Lib "_dmsecadm" (Byval cmdName As String, Byval cmdArgs As Lmbcs String, Byval OutBuf As String, Byval szOutBuf As Integer) As Integer

I haven't found any documentation about this function, not even about this dll file.

All arguments for this function are collected into one string: cmdArgs. After a deep dive into the dll file using Strings I found a good candidate for a parameter, which could be used to set the validity of the certificate in days: ValidDays

Thus I simply tried to add this parameter to the cmdArgs string:

Modification of the button's code

I added the following code just below the initialization of cmdArgs:
'<modified author="Thomas Bahn <tbahn@assono.de>" timestamp="2012-07-31"
' description="change how long the certificate is valid (in days); 7305 means: 20 years">
CmdArgs = CmdArgs &"ValidDays=7305;"
'</modifed>

For testing, I just set the validity to 7305 days, that's 20 years. But you could easily add a field to the form and use its current value instead.

Then I created a new key ring:

The end date in the dialog box is lying directly into your face, it's always a year from today (value formula: @Adjust( @Today;1;0;0;0;0;0)):

To check the created certificate, navigate to "View & Edit Key Rings",

click on "Select Key Ring to Display",

enter the file name of your key ring file,

enter the password and

open the Site Certificates - KeyPair document.

Now you can verify that the certificate is valid for 20 years:

Comments

super thx.

Posted by WernerMo At 22:10:45 On 02.08.2012 | - Website -

Great hack.
Thanks for sharing it

Posted by Finn Knudsen At 14:40:40 On 04.08.2012 | - Website -

So geht es auch. { Link }

Noch zwei Anmerkungen:
Bei mir (Domino 8.5.x) steckt die "StdNotes50SSLAdmin" nicht in "certsrv.ntf", sondern in der "csrv50.ntf".
Und für alle die, die keinen Code anpassen wollen, führt ein alternativer Weg zum >1 Jahr gültigen, selbst signierten Zertifikat über "den langen Weg" mit eigener DominoCA ("Domino Certificate Authority (6)", cca50.ntf) und der oben genannter "Server Certificate Admin" (bei mir, wie gesagt, csrv50.ntf).