Creating a sha2+ keyring with Domino CA signed certificate

Tags: SHA2 Domino CA keyring ca process kyrtool
Ever wondered how to use the new keyring tool with your Domino based Internet Certificate Authority?

This should work

First we create a new keyring using the 'new'  kyrtool

kyrtool create -k c:\ibm\keyring.kyr -p mypassword

Then we create a private key and csr using openssl

openssl genrsa -out server.key 4096
openssl req -new -sha256 -key server.key -out server.csr

Open the certificate request database of your Domino based internet CA in your browser and select 'Request server certificate'  and paste the contents of server.csr and click submit to request the certificate.

Once the certificate has been signed, pick it up in the browser using the pickup id (you should have received this ID by email)

Select RAW format and copy paste into a file, in  this example server.cer

Next we combine the private key, the signed certificate and CA certificate into a single file.

copy server.key+server.cer+cacert.cer combined.txt

(cacert.cer = base64bit encoded )

Finally we import this combined file into the Domino keyring

kyrtool import all -k c:\ibm\keyring.kyr -i combined.txt


CA Process does not like admins with local mailfiles

Tags: Lotus Domino 8.5.1 CA Process
Ran into this one the other day while making a small change to my CA based certifiers:

Cannot locate user certificate. Make sure server contains your certificate for encryption

Turs out that when your location document is configured with your mail file location as Local, you will not be able to make any changes to notes and/or internet certifiers inside the CA Process.

See also KB #1168945

Why it requires the location of the mailfile to be 'On Server' instead of just checking the home server as configured in the location document (or the server you're actually administrating) is beyond me though.


A CA Process learning experience

Tags: Lotus Domino CA Process

The other day I found out that when you've migrated your certifier to the CA Process and at some point in time afterwards you've performed a certifier key roll over you might as well throw out those old backup copies of your certifier id.

This is how I got to this 'revelation'.

First I registered a new server using the CA process on the existing server that holds the CA, I then copied the id over to the new box and fired up the remote installer.
At the end of the Remote Server Setup wizard when it's time to actually start doing something useful it threw an error complaining that the server id had not been signed yet.