Creating Self-Certified SSL Certificates Valid Longer Than One Year

by Thomas Bahn,
assono GmbH, Standort Kiel,

Lotus DominoLotus Notes Traveler Creating SSL certificates for Domino Web servers is easy, especially for self-certified certificates:

  • Create a database from the "StdNotes50SSLAdmin" template (certsrv.ntf),
  • open it,
  • click on "Create Key Ring with Self-Certified Certificate",
  • fill out the form,
  • copy the created files to the Domino server and
  • finally update the server document to point to your files.

That's it.
Self-certified SSL certificates are cheap (no costs beside your time),
but cannot be verified using the known and trusted root certificates of
companies like Verisign.

Therefore, this kind of SSL certificates
is most often used for internal Web servers only, but with Lotus Notes
Traveler, these certificates have seen a renaissance.


But, there is one problem: These
certificates are valid for only one year from the date of their
creation with no configuration or option to change this, nor a way to extend
validity for existing ones.

This means that if you use a self-certified
SSL certificate for your Lotus Notes Traveler server, you have to replace
it year after year and each Traveler user gets a warning every time.


But as (nearly) always with Lotus Notes
and Domino, there is a way to accomplish this task...

When you look at the code behind the "Create Key Ring with Self-Certified Certificate" button in the "CertAdminCreateKeyringWithSelfCert" form, you'll find that the critical piece of code is hidden in a C function called ProcessSecurityCmd in the dmsecadm.dll:
  A picture named M2
"CertAdminCreateKeyringWithSelfCert" form with button

Declare Function ProcessSecurityCmd Lib "_dmsecadm" (Byval cmdName As String, Byval cmdArgs As Lmbcs String, Byval OutBuf As String, Byval szOutBuf As Integer) As Integer

I haven't found any documentation about this function, not even about this dll file.

All arguments for this function are collected into one string: cmdArgs. After a deep dive into the dll file using Strings I found a good candidate for a parameter, which could be used to set the validity of the certificate in days: ValidDays  wink.gif

Thus I simply tried to add this parameter to the cmdArgs string:
  A picture named M3
Modification of the button's code

I added the following code just below the initialization of cmdArgs:
'<modified author="Thomas Bahn <tbahn@assono.de>" timestamp="2012-07-31"
'      description="change how long the certificate is valid (in days); 7305 means: 20 years">
CmdArgs = CmdArgs & "ValidDays=7305;"
'</modifed>

For testing, I just set the validity to 7305 days, that's 20 years. But you could easily add a field to the form and use its current value instead.

Then I created a new key ring:
  A picture named M4

The end date in the dialog box is lying directly into your face, it's always a year from today (value formula: @Adjust( @Today;1;0;0;0;0;0)):
  A picture named M5

To check the created certificate, navigate to "View & Edit Key Rings",
  A picture named M6

click on "Select Key Ring to Display",
  A picture named M7

enter the file name of your key ring file,
  A picture named M8

enter the password and
  A picture named M9

open the Site Certificates - KeyPair document.
  A picture named M10

Now you can verify that the certificate is valid for 20 years:
  A picture named M11

Technical article IBM Domino IBM Notes Traveler Administration

Sie haben Fragen zu diesem Artikel? Kontaktieren Sie uns gerne: blog@assono.de

Do you want an individual solution? Contact us

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

We don’t sell your data. 100% guaranteed. See: Privacy Policy
assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de