Author:Andrew Tetlaw
Email:
Subject:The answer: yes you can use your Domino CA
Category:Web Booster
Message:It's a bit of a tangle of compatible formats and command line arguments but here's what I did:

STEP 1: Generate your keystore

C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -genkey -keyalg "RSA" -alias [your alias] -keystore [your keystore file e.g. keystore.kyr] -storepass [password]

What is your first and last name?
  [Unknown]:  [host name]
What is the name of your organizational unit?
  [Unknown]:  [OU]
What is the name of your organization?
  [Unknown]:  [O]
What is the name of your City or Locality?
  [Unknown]:  []
What is the name of your State or Province?
  [Unknown]:  []
What is the two-letter country code for this unit?
  [Unknown]:  [e.g. AU]
Is CN=host.com.au, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx correct?
  [no]:  y

 

STEP 2: Make a certificate request for your domino CA

 C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -certreq -keyalg "RSA" -alias [your alias from above step] -keystore [keystore file from above step] -file [new certificate file e.g. request.csr]
Enter keystore password:  [password]

STEP 3: Submit request to Domino CA

The file generated above (request.csr) is a text file you need to open a new server certificate request in your certificate request database on Domino. I run Domino 6.5.4 and I have a database called certreq.nsf. Opening this in a browser will display a menu; click 'Request Server Certificate'. Type in your name and email address and paste the contents of the csr file into the field indicated, then submit.

After the CA process has completed and the certificate is ready you'll get an email with a pickup ID. Go to the certreq DB again and click 'Pickup Server Certificate'. Enter your pickup ID. Select the PKCS7 format and copy and paste the text into a new text file and call it something like server.cert.

STEP 4: Getting your CA's certificate for importing

Now here's a gotchya, keytool need to create a chain of trust so you first need to import the Domino CA's cert as the trusted root of your new server certificate. If you attempt to import your new server certificate keytool will return an error "Failed to establish chain from reply".

In the certreq database there's an option 'Accept This Authority In Your Server' ignore it the public key it returns is of no use to you. If you try to install it keytool will return an error "Not an x.509 certificate". What I did instead is to click 'Accept This Authority In Your Browser' and Install Certificate. Then from IE go to Tools/Internet Options/Content/Certificates/Trusted Root Certificates and export your CA's certificate. Choose the 'Base-64 encoded x.509 (.cer)' format and save the exported file e.g. caroot.cer.

STEP 5: Importing your certificates

Import your CA's root certificate:
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -import -keyalg "RSA" -alias [an alias for the root ca] -keystore [your keystore from above] -file [CA's certificate file e.g. caroot.cer]
Enter keystore password:  [password]
Owner: CN=XXX, O=XXX
Issuer: CN=XXX, O=XXX
Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Valid from: [time&date] until: [time&date]
Certificate fingerprints:
         MD5:  [stuff]
         SHA1: [stuff]
Trust this certificate? [no]:  y
Certificate was added to keystore

Import your new server certificate:
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -import -keyalg "RSA" -alias [server alias] -keystore [keystore file] -file [server certificate file e.g. server.cert]
Enter keystore password:  [password]
Certificate reply was installed in keystore

CONGRATULATIONS! Now you can have puakma web booster via SSL using a certificate signed by your Domino CA. If your users have already imported your Domino CA's certificate as a trusted root then they'll trust the Puakma servers certificate now too.

Threads:
SSL   Steffen Sørensen 03.Jun.05
    RE: SSL   Brendon Upson 03.Jun.05
        RE: SSL   Aurelio 09.Jun.05
            Keytool.exe   Tom Williams 09.Jun.05
                RE: Keytool.exe   Anonymous 13.Jun.05
                    RE: Keytool.exe   Tom Williams 13.Jun.05
                        The answer: yes you can use your Domino CA   Andrew Tetlaw 22.Jun.05
    RE: SSL   Anonymous 11.Jun.05