26.06.2009

SSL Certifcate with 2048 key length on a Domino 7.0.3

>>Author:  Bernd Hort
>>Ort:     Hamburg

URL: http://www.assono.de/blog/d6plinks/SSL-With-2048-Keylength

Category: Lotus Domino, Administration, Web-Entwicklung

Lately I had to set up a Extended Validation SSL Certificate on a Domino 7.0.3 server. You know that kind of SSL certificate which let the address bar on the browser glow in this friendly green. I just created the "Server Certificate Admin" database on the server, generated a new key and went to the website of the service provider to apply the certification. (Andrew Pollack has a nice presentation "Creating an SSL Certificate for IBM Lotus Domino" in his blog.)

To my surprise the service provider refused it with a cryptic error message. After contacting support I found out where the problem was.

An EV-SSL certificate needs a 2048er key length. Unfortunately the only choices in the "Server Certificate Admin" database on Domino 7.0.3 while creating the key were 512 or 1024.

So I used an existing Domino 8.5 server and with the template on that server there was suddenly another option: 2048.

A test certificate with this key length worked fine on the Domino 7.0.3 server. With a little faith I went to the website of the service provider again and this time everything went through. For two month the certificate is running on the production server without any problems.

Comments

I'm trying to do the same thing, but cannot find the Server Certificate Admin template on my Domino 8.0 server. What is it filename of the template?

Jeff

Posted by Jeff BOnnes At 10:42:05 On 17.09.2009 | - Website -

The filename is "csrv50.ntf" and the database title is "Server Certificate Admin".

Bernd

Posted by Bernd Hort At 10:58:51 On 17.09.2009 | - Website -

Wir haben 8.0.2 und konnten alles prima installieren Emoticon

aber der Balken wird nicht grün :(
Was ist da noch faul?

Posted by Andreas At 19:15:12 On 28.05.2010 | - Website -

Sowohl Opera als auch Firefox meldeten Probleme mit dem Zertifikat, schweigen sich aber zu den Details aus. (Ich nehme an es handelt sich um die unter "Web-Seiten" angegebene URL.)

Es gibt eine Notes.ini Variable Debug_SSL_Cert.
{ Link }

Diese mal auf Debug_SSL_Cert=2 setzen und dann auf die Console schauen.

Posted by Bernd Hort At 19:56:04 On 28.05.2010 | - Website -

When you used your 8.5 server to sign it did it have to be configured the same as the existing 7.0.3 server? Or can you just use any old 8.5 server and put in info specific to the domain that the 7.0.3 server hosts? Thanks.

Posted by Jourdan At 19:31:48 On 09.08.2010 | - Website -

No, the "Server Certificate Admin" database is completely separate from the Domino Directory. So you just have to enter the information regarding the 7.0.3 server.
Actually this is what I did. I used my Domino 8.5 test environment which has absolutely nothing in common with the customer production environment. Everything just went fine. Emoticon

Posted by Bernd Hort At 09:46:52 On 10.08.2010 | - Website -