| Message: | It's a bit of a tangle of compatible formats and command line arguments but here's what I did:
STEP 1: Generate your keystore
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -genkey -keyalg "RSA" -alias [your alias] -keystore [your keystore file e.g. keystore.kyr] -storepass [password]
What is your first and last name?
[Unknown]: [host name]
What is the name of your organizational unit?
[Unknown]: [OU]
What is the name of your organization?
[Unknown]: [O]
What is the name of your City or Locality?
[Unknown]: []
What is the name of your State or Province?
[Unknown]: []
What is the two-letter country code for this unit?
[Unknown]: [e.g. AU]
Is CN=host.com.au, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx correct?
[no]: y
STEP 2: Make a certificate request for your domino CA
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -certreq -keyalg "RSA" -alias [your alias from above step] -keystore [keystore file from above step] -file [new certificate file e.g. request.csr]
Enter keystore password: [password]
STEP 3: Submit request to Domino CA
The file generated above (request.csr) is a text file you need to open a new server certificate request in your certificate request database on Domino. I run Domino 6.5.4 and I have a database called certreq.nsf. Opening this in a browser will display a menu; click 'Request Server Certificate'. Type in your name and email address and paste the contents of the csr file into the field indicated, then submit.
After the CA process has completed and the certificate is ready you'll get an email with a pickup ID. Go to the certreq DB again and click 'Pickup Server Certificate'. Enter your pickup ID. Select the PKCS7 format and copy and paste the text into a new text file and call it something like server.cert.
STEP 4: Getting your CA's certificate for importing
Now here's a gotchya, keytool need to create a chain of trust so you first need to import the Domino CA's cert as the trusted root of your new server certificate. If you attempt to import your new server certificate keytool will return an error "Failed to establish chain from reply".
In the certreq database there's an option 'Accept This Authority In Your Server' ignore it the public key it returns is of no use to you. If you try to install it keytool will return an error "Not an x.509 certificate". What I did instead is to click 'Accept This Authority In Your Browser' and Install Certificate. Then from IE go to Tools/Internet Options/Content/Certificates/Trusted Root Certificates and export your CA's certificate. Choose the 'Base-64 encoded x.509 (.cer)' format and save the exported file e.g. caroot.cer.
STEP 5: Importing your certificates
Import your CA's root certificate:
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -import -keyalg "RSA" -alias [an alias for the root ca] -keystore [your keystore from above] -file [CA's certificate file e.g. caroot.cer]
Enter keystore password: [password]
Owner: CN=XXX, O=XXX
Issuer: CN=XXX, O=XXX
Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Valid from: [time&date] until: [time&date]
Certificate fingerprints:
MD5: [stuff]
SHA1: [stuff]
Trust this certificate? [no]: y
Certificate was added to keystore
Import your new server certificate:
C:\Program Files\Puakma Web Booster\config>"C:\Program Files\Java\jre1.5.0_02\bin\keytool.exe" -import -keyalg "RSA" -alias [server alias] -keystore [keystore file] -file [server certificate file e.g. server.cert]
Enter keystore password: [password]
Certificate reply was installed in keystore
CONGRATULATIONS! Now you can have puakma web booster via SSL using a certificate signed by your Domino CA. If your users have already imported your Domino CA's certificate as a trusted root then they'll trust the Puakma servers certificate now too.
|
