- Create a database from the "StdNotes50SSLAdmin" template (certsrv.ntf),
- open it,
- click on "Create Key Ring with Self-Certified Certificate",
- fill out the form,
- copy the created files to the Domino server and
- finally update the server document to point to your files.
Self-certified SSL certificates are cheap (no costs beside your time),
but cannot be verified using the known and trusted root certificates of
companies like Verisign.
Therefore, this kind of SSL certificates
is most often used for internal Web servers only, but with Lotus Notes
Traveler, these certificates have seen a renaissance.
But, there is one problem: These
certificates are valid for only one year from the date of their
creation with no configuration or option to change this, nor a way to extend
validity for existing ones.
This means that if you use a self-certified
SSL certificate for your Lotus Notes Traveler server, you have to replace
it year after year and each Traveler user gets a warning every time.
But as (nearly) always with Lotus Notes
and Domino, there is a way to accomplish this task...
When you look at the code behind the "Create
Key Ring with Self-Certified Certificate" button in the "CertAdminCreateKeyringWithSelfCert"
form, you'll find that the critical piece of code is hidden in a C function
in the dmsecadm.dll:
"CertAdminCreateKeyringWithSelfCert" form with button
Declare Function ProcessSecurityCmd Lib "_dmsecadm" (Byval cmdName As String, Byval cmdArgs As Lmbcs String, Byval OutBuf As String, Byval szOutBuf As Integer) As Integer
I haven't found any documentation about this function, not even about this dll file.
All arguments for this function are collected into one string: cmdArgs. After a deep dive into the dll file using Strings I found a good candidate for a parameter, which could be used to set the validity of the certificate in days: ValidDays
Thus I simply tried to add this parameter to the cmdArgs string:
Modification of the button's code
I added the following code just below the initialization of cmdArgs:
'<modified author="Thomas Bahn <firstname.lastname@example.org>" timestamp="2012-07-31"
' description="change how long the certificate is valid (in days); 7305 means: 20 years">
CmdArgs = CmdArgs & "ValidDays=7305;"
For testing, I just set the validity to 7305 days, that's 20 years. But you could easily add a field to the form and use its current value instead.
Then I created a new key ring:
The end date in the dialog box is lying directly into your face, it's always a year from today (value formula: @Adjust( @Today;1;0;0;0;0;0)):
To check the created certificate, navigate to "View & Edit Key Rings",
click on "Select Key Ring to Display",
enter the file name of your key ring file,
enter the password and
open the Site Certificates - KeyPair document.
Now you can verify that the certificate is valid for 20 years: