Creating Self-Certified SSL Certificates Valid Longer Than One Year

>>Author:  Thomas Bahn
>>Ort:     Kiel (Schwentinental)
URL: https://www.assono.de/blog/d6plinks/Creating-Self-Certified-SSL-Certificates-Valid-Longer-Than-One-Year

Kategorien: Administration, Lotus Domino, Lotus Notes Traveler

Lotus DominoLotus Notes Traveler
Creating SSL certificates for Domino Web servers is easy, especially for self-certified certificates:
  • Create a database from the "StdNotes50SSLAdmin" template (certsrv.ntf),
  • open it,
  • click on "Create Key Ring with Self-Certified Certificate",
  • fill out the form,
  • copy the created files to the Domino server and
  • finally update the server document to point to your files.
That's it. Self-certified SSL certificates are cheap (no costs beside your time), but cannot be verified using the known and trusted root certificates of companies like Verisign.

Therefore, this kind of SSL certificates is most often used for internal Web servers only, but with Lotus Notes Traveler, these certificates have seen a renaissance.

But, there is one problem: These certificates are valid for only one year from the date of their creation with no configuration or option to change this, nor a way to extend validity for existing ones.
This means that if you use a self-certified SSL certificate for your Lotus Notes Traveler server, you have to replace it year after year and each Traveler user gets a warning every time.

But as (nearly) always with Lotus Notes and Domino, there is a way to accomplish this task...

When you look at the code behind the "Create Key Ring with Self-Certified Certificate" button in the "CertAdminCreateKeyringWithSelfCert" form, you'll find that the critical piece of code is hidden in a C function called ProcessSecurityCmd in the dmsecadm.dll:
A picture named M2
"CertAdminCreateKeyringWithSelfCert" form with button

Declare Function ProcessSecurityCmd Lib "_dmsecadm" (Byval cmdName As String, Byval cmdArgs As Lmbcs String, Byval OutBuf As String, Byval szOutBuf As Integer) As Integer

I haven't found any documentation about this function, not even about this dll file.

All arguments for this function are collected into one string: cmdArgs. After a deep dive into the dll file using Strings I found a good candidate for a parameter, which could be used to set the validity of the certificate in days: ValidDays  

Thus I simply tried to add this parameter to the cmdArgs string:
A picture named M3
Modification of the button's code

I added the following code just below the initialization of cmdArgs:
'<modified author="Thomas Bahn <tbahn@assono.de>" timestamp="2012-07-31"
'      description="change how long the certificate is valid (in days); 7305 means: 20 years">
CmdArgs = CmdArgs & "ValidDays=7305;"

For testing, I just set the validity to 7305 days, that's 20 years. But you could easily add a field to the form and use its current value instead.

Then I created a new key ring:
A picture named M4

The end date in the dialog box is lying directly into your face, it's always a year from today (value formula: @Adjust( @Today;1;0;0;0;0;0)):
A picture named M5

To check the created certificate, navigate to "View & Edit Key Rings",
A picture named M6

click on "Select Key Ring to Display",
A picture named M7

enter the file name of your key ring file,
A picture named M8

enter the password and
A picture named M9

open the Site Certificates - KeyPair document.
A picture named M10

Now you can verify that the certificate is valid for 20 years:
A picture named M11


#1 super thx. Gravatar Image
#2 Great hack.
Thanks for sharing it
Gravatar Image
#3 So geht es auch. { Link }

Noch zwei Anmerkungen:
Bei mir (Domino 8.5.x) steckt die "StdNotes50SSLAdmin" nicht in "certsrv.ntf", sondern in der "csrv50.ntf".
Und für alle die, die keinen Code anpassen wollen, führt ein alternativer Weg zum >1 Jahr gültigen, selbst signierten Zertifikat über "den langen Weg" mit eigener DominoCA ("Domino Certificate Authority (6)", cca50.ntf) und der oben genannter "Server Certificate Admin" (bei mir, wie gesagt, csrv50.ntf).
Gravatar Image
#4 Super, danke!

Hier noch die Möglichkeit den Key mit 2048 Bit anzulegen:
{ Link }

Gravatar Image
#5 Danke für den Tip!
Mit folgender Verfeinerung bekommt man Zertifikate, die auch vom IE 9 akzeptiert werden:
{ Link }
Gravatar Image
#6 this, with 2048 size looks great, will try it soon.

is it possible for you to fix images in this great article? Emoticon
Gravatar Image
#7 Thanks, tixo.

What do you mean about fixing the images? I still see them in IE, FF and Chrome.
Gravatar Image
#8 Very good hack!

Thank you very much!!

Gravatar Image
#9 thank
but i can'tt see any pictures in this page.
please send this document as pdf or ms word to email pts4223@gmail.com
Gravatar Image
#10 Thank you, Ken, for your comment. In the German version of this blog entry, the images were visible, but not in the English version. Repaired! Gravatar Image
#11 The pictures are still broken in the english version. Gravatar Image
#12 Thank you, Mike, for bringing it to my attention. I'm sure, I've "repaired" it once, but somehow the images were "lost" again?!?

Now they are shown (again).
Gravatar Image
#13 Vielen Dank - auch an Christoph Stoettner. Hat mir gerade sehr geholfen! Gravatar Image
#15 I have just do as you describe but it seem does not work. The End date is still one year after start date!Emoticon Gravatar Image
#16 Sorry, but it worked as shown. As stated above, the dialogbox doesn't tell you the truth, you have to open the certificate from the key ring.

But: self-certified certificates aren't accepted anymore for a lot of use cases. Think about using "real" certificates. Did you here about the Let's Encrypt campaign for example?
Gravatar Image

Senden Sie einen Kommentar




Deutsche RSS-Feeds (German)

Custom Button Custom Button

English RSS feeds

Custom Button Custom Button