Hello Mark,

Trust me, I feel your frustration. I spent hours and hours working through this process. I boiled the process down into a few steps (see here). Now, I can handle in < 5 minutes! I should send IBM a bill. Can you imagine the productivity loss around the world due to poor documentation re: SHA-2 and Domino (and TLS, for that matter)? Amazing. Hope this helps you. We are successfully running SHA-2 certificates (use link in posting to check SHA-2 status). I just added the exact OpenSSL commands to the linked posting (focus was more on KYRTOOL). I can create these in my sleep now!

***While the topic mentions Go Daddy (our CA), the instructions work for other CAs. The only real difference is file names of the root/intermediate certificates.

Regards,
Michael

One of the issues from the original Wiki was in Step 1 he used 'server.key', then in step 2 it was server02.key; I was pretty sure they should have been the same...

Are you setting environment variables for OpenSSL?  I think that I had to add 'set RANDFILE=.rnd', but then later got another error, so added 'set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg'.

Did you have to make any changes to the supplied openssl.cfg file?

And finally, did you just run everything from 'C:\OpenSSL-Win32\bin'? Then copy out the files you needed?

Thanks for the direction! It looks like I was on the right track - but didn't want to submit & pay for the certificate only to find out I had it all wrong!

Hello Howard,

Excellent, couldn't agree more with that recommendation. Many CA still have root and intermediate bundles (or individual certificates in their repositories) that are only SHA-1 signed. I intentionally downloaded the G2 versions of the root and intermediate certificates (e.g. from Go Daddy) that has SHA-2 signatures. If not, your chain's essentially not 100% SHA-2. Even with these SHA-2 inclusive certificates, it's possible to still see SHA-1 for the Thumbprint Algorithm but the certificate is signed with SHA-2 and will pass tests (e.g. Google Chrome checks for SHA-1).

Regards,
Michael

Dave,

Thanks for updating the posting.

Regards,
Michael

Hello Mark,

The server02.key (instead of server.key) has certainly confused many people. With regards to OpenSSL environment variables, none were set. I just installed OpenSSL for Windows and ran all commands from the C:\OpenSSL-Win32\bin\ directory. BTW, I have now generated 48 SHA-2 signed SSL certificates (new and re-keys) today alone w/o any issues.

***Don't be too concerned about making a mistake (re: initial CSR...). You can always re-key, just don't revoke the purchased certificate.

Regards,
Michael

I successfully updated an existing GoDaddy SHA-1 cert to SHA-2 using the arcane "Generate a SHA-2 certificate using a 3rd party CA with OpenSSL and kyrtool" instructions.  I also used OpenSSL for Windows.  As others already noted, the instructions change "server.key" to "server02.key" incorrectly.  Here are some notes I made for myself against various steps in the process:

1. Generate an RSA keypair

Mark,

Thanks for posting your process for generating the SHA-2 signed certificates using OpenSSL and KYRTOOL. My instructions drop the path to the notes.ini since it's already relative to the file's location. So, instead of "kyrtool ="C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini" create -k "C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr" you can just use "=notes.ini" or "kyrtool =notes.ini create -k "C:\Program Files (x86)\IBM\Lotus\Notes\Data\keyring.kyr"". I found that any shortcut seemed to help me.

Dave: Mark's quotation marks around the path reminded me of something. The posting uses "kyrtool =c:\lotus\notes\notes.ini create -k c:\lotus\notes\data\keyring.kyr -p password" for example. While this path works (due to no spaces), it would not work using the more standard "C:\Program Files (x86)\IBM\Lotus\Notes". If no quotes are used, the user will receive an error. YI would just add quotes to yours so users just assume quotes are needed no matter.

Regards,
Michael

Thanks, Michael and Mark, for all the assistance! I've been thru the process, and have just installed my keyring on our Traveler server, and everything appears spectacular!

Tomorrow I will attempt our b2b web server - the current SHA-1 certificate won't expire for another year, but I'll get it upgraded to SHA-256 and will feel much better.

I can't say enough how much I appreciate the assistance!

Seriously, Thanks!

Mark,

Great news, thanks for letting us know. The network effect, right? I'm glad the information helped.

Regards,
Michael

That will be a great help!

I assume that many of us wear multiple hats during the year, so this task only happens every year or two - I finally had the old way down pat!

;-)

But, to be truthful, this was wasn't so bad (with a little help and direction) - a Windows procedure will really help!

Thanks, again!