HCL Notes and Domino 9.0 Social Edition Forum

May 29, 2015, 7:48 PM

191 Posts

Need more info

Can you itemize the full steps you have taken? It's not clear if you have created your own CA and are attempting to use that to issue certificates or if you have purchased a certificate from a third-party CA. What is clear, though, is that you don't have a root certifier in the chain of certificates. The last certificate in the chain should be a self-signed CA certificate. That can either be one widely recognized as trusted (the major vendors) or one you have created that you'll explicitly choose to trust. If it's the latter, you probably skipped a step at some point, which is why listing all steps you have taken helps.

In general, the process for creating your own CA and using it to certify a server certificate will go like this:

Create CA key pair
Create self-signed CA certificate
Create server key pair
Create CSR for server
Sign CSR with CA certificate and key pair

~Michelle Chuboosilitli

Jun 1, 2015, 1:05 PM

5 Posts

Resolved

OK...I was doing this correctly, but the Certificate Authority sent me an Intermediate and Root Certificate with a subject name that did not match the IssuerName of the server certificate. So the problem was exactly as it appeared in the error message. I brought this to their attention and they sent me the correct Intermediate and Root and it worked perfectly.

~Olga Brekrochekobu

Jun 3, 2015, 1:06 PM

4 Posts

Kyrtool / OpenSSL Concern

You can have two options:

You can request a PEM file from your CA so that if you concatenate the server.key(from OpenSSL) and server.pem(certificates received from CA) to a new text file (server.txt). You can have all certificates in one text file.

Command: type server.key server.pem>server.txt

Another option is to have KEY file(openssl) and the CRT or CER files of your roots and certificate. You can import them one at a time.

After you created a keyring file, My tip is to put all files in one folder(server.key, CRT/CER files and keyring files(KYR and STH))

*If you open the certificate using cryptoshell, you can determine in the Certification the number of chains/roots to be used

1. Import keys (server.key that you created on the Openssl tool)
kyrtool import keys -k "C:\*location of keyring file\keyring.kyr" -i "C:\*location of server.key\server.key" -n "CN=hostname.com"

2. Import roots
kyrtool import roots -k "C:\*location of keyring file\keyring.kyr" -i "C:\*location of root certificates\PrimaryRoot.crt"
kyrtool import roots -k "C:\*location of keyring file\keyring.kyr" -i "C:\*location of root certificates\IntermediateRoot.crt"

3. Import cert/the site cert
kyrtool import certs -k "C:\*location of keyring file\keyring.kyr" -i "C:\*location of certificates\Sitecertificate.crt"

~Wei Brefreetexoopsi

Aug 16, 2017, 4:46 PM

1 Posts

GoDaddy certs

I know this is an old topic but I have struggled getting thru this lately using a GoDaddy cert. Thought I'd pass along my hard won lesson. GoDaddy will send you a bundle (gd_bundle-xx-xx.crt) and another cert with about 10 letters and numbers (123434321a1s2s2.crt). You have to use both or you will get the private key does not match leaf certificate error. Just open these items in notepad and copy the contents into another notepad doc: RSA private key first, then that numbered cert, then the bundle. Then that text file should verify.

When I got down to the kyrtool show keys command, it worked fine, but the certs command cause a PANIC error and crashed Notes with a handle out of range error. I opened a case with IBM on that.

This is some absolutely poor certificate handling that IBM is foisting upon us.

By Role

Kyrtool / OpenSSL Question