In my last post I'd indicated that IBM HTTP Server (IHS) is included with Domino 9 on Windows and that I think this is a pretty good addition (if cop out).

Anyway, you most likely already have an SSL certificate on Domino for web mail or Traveler and with IHS in front of Domino you now want to move that SSL certificate to IHS. As you most likely know Domino's SSL key format is a tad esoteric so how does one go about getting that pesky KYR format into the KDB format that IHS likes? I scoured the internet and most of this information is out there, but you have to scrap together some bits and pieces so I decided to write my own "how-to". Oh, and yes, wildcard SSL certificates work with this process too.

Some issues first off....
OK, so fire up Win XP, extract the above ZIP file and crack open the readme. Follow it exactly:
1.        Open a command prompt and CD to the extracted directory
2.        type "gskregmod.bat Add" into said command prompt
3.        type "runikeyman.bat" into said command prompt
 
voila, if you've done it right you should see this:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

Hit the "new" icon highlighted in red above and make sure CMS is picked and if needed rename the key.kdb file and file path (I'm leaving this example as is):

Image:Exporting Domino SSL keyfiles to another format for use with IHS

Hit OK and enter a password and make sure "Stash the password to a file" is checked:

Image:Exporting Domino SSL keyfiles to another format for use with IHS
You should then be presented with the following, select "Signer Certificates" and select "Personal Certificates" from the drop down:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

On the right, select "Import" and change the format to "Keyring file", browse to your existing Domino SSL cert and hit OK:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

Enter the password and hit OK:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

You will see something like this.....in this certificate there are three I want to import, GoDaddy Root, GoDaddy Intermediate and KeyPair in that order so I will complete this task three times, one for each certificate in the chain:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

Once you done all your certs you will see your "KeyPair" in the "Personal Certificates" area, and the GoDaddy certs in the "Signer" area:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

With that you are done with the KYR file. You can now copy your new key.kdb AND key.sth files to the IHS folder on Domino.

Once copied change the domino.conf file in the IHS\Conf folder to this (adjusting your file name and path as necessary):


Listen 0.0.0.0:80

# Uncomment the following line for IPv6 support on Windows XP or Windows
# 2003 or later.  Windows IPv6 networking must be configured first.
# Listen [::]:80

# To enable ssl, uncomment and add/change the
# appropiate directives

Listen 0.0.0.0:443
## IPv6 support:
#Listen [::]:443

SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
#Enable debug for ssl default ssl port
#LogLevel debug

KeyFile E:/IBM/Domino/ihs/key.kdb
SSLDisable
# End of example SSL configuration


Also make sure to add the following to you server notes.ini file:


HTTPIHSEnabled=1
HTTPIHSDebugStartup=1


Restart HTTP and voila, IHs is now handling SSL using your old SSL certificate from Domino:

Image:Exporting Domino SSL keyfiles to another format for use with IHS

Also worth noting, the connection is now TLS 1.1:

Image:Exporting Domino SSL keyfiles to another format for use with IHS
Darren Duke   |   May 28 2013 02:53:32 PM   |    domino  ssl  ihs    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (4)

Gravatar Image
1 - Sven Hasselbach    http://blog.hasselba.ch    05/29/2013 1:00:57 AM

You should check the screenshots, especially the last one. Maybe you find there a domain name.

Gravatar Image
2 - Alan Head    http://tapsocial.kiloran.com    05/29/2013 5:39:11 AM

Very useful. Wish SSL key management was slightly easier in Domino. Currently building 11 new Domino web servers and whilst AdminP and a Domino CA help there's still far too much copy/pasting of files. Which merely encourages me to set very looong expiry dates on our internally-issued server certs.

Gravatar Image
3 - Darren Duke       05/29/2013 6:39:59 AM

@, thanks and doh! It's an internal test server not accessible from the internet so no real harm done. Anyway I've fixed it.

Gravatar Image
4 - David Aldavero       02/05/2014 9:13:50 AM

Thanks a lot for the information! It was very useful. However, our environment has 2 ssl different certificates. I was able to import the first one, but when importing the second one, it says that there is a KeyPair already in database (a certificate with same label). Do you know if there is a way to import a second (or third .kyr) in the Personal Certificates section? Thanks again!