In my last post I'd indicated that IBM HTTP Server (IHS) is included with Domino 9 on Windows and that I think this is a pretty good addition (if cop out).

Anyway, you most likely already have an SSL certificate on Domino for web mail or Traveler and with IHS in front of Domino you now want to move that SSL certificate to IHS. As you most likely know Domino's SSL key format is a tad esoteric so how does one go about getting that pesky KYR format into the KDB format that IHS likes? I scoured the internet and most of this information is out there, but you have to scrap together some bits and pieces so I decided to write my own "how-to". Oh, and yes, wildcard SSL certificates work with this process too.

Some issues first off....

• You'll need a specific version of iKEYMAN to even *open* Domino KYR files, it is available from ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip (via IBM Technote 1308138)
• You'll need a Windows XP machine (I think, I lost patience trying to get Win 7 to work)
• You'll need the original kyr and sth files and the password from a Domino server

OK, so fire up Win XP, extract the above ZIP file and crack open the readme. Follow it exactly:
1.        Open a command prompt and CD to the extracted directory
2.        type "gskregmod.bat Add" into said command prompt
3.        type "runikeyman.bat" into said command prompt
 
voila, if you've done it right you should see this:



Hit the "new" icon highlighted in red above and make sure CMS is picked and if needed rename the key.kdb file and file path (I'm leaving this example as is):



Hit OK and enter a password and make sure "Stash the password to a file" is checked:


You should then be presented with the following, select "Signer Certificates" and select "Personal Certificates" from the drop down:



On the right, select "Import" and change the format to "Keyring file", browse to your existing Domino SSL cert and hit OK:



Enter the password and hit OK:



You will see something like this.....in this certificate there are three I want to import, GoDaddy Root, GoDaddy Intermediate and KeyPair in that order so I will complete this task three times, one for each certificate in the chain:



Once you done all your certs you will see your "KeyPair" in the "Personal Certificates" area, and the GoDaddy certs in the "Signer" area:



With that you are done with the KYR file. You can now copy your new key.kdb AND key.sth files to the IHS folder on Domino.

Once copied change the domino.conf file in the IHS\Conf folder to this (adjusting your file name and path as necessary):

Listen 0.0.0.0:80

# Uncomment the following line for IPv6 support on Windows XP or Windows
# 2003 or later.  Windows IPv6 networking must be configured first.
# Listen [::]:80

# To enable ssl, uncomment and add/change the
# appropiate directives

Listen 0.0.0.0:443
## IPv6 support:
#Listen [::]:443

SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
#Enable debug for ssl default ssl port
#LogLevel debug

KeyFile E:/IBM/Domino/ihs/key.kdb
SSLDisable
# End of example SSL configuration

Also make sure to add the following to you server notes.ini file:

HTTPIHSEnabled=1
HTTPIHSDebugStartup=1

Restart HTTP and voila, IHs is now handling SSL using your old SSL certificate from Domino:



Also worth noting, the connection is now TLS 1.1: