This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Bella Xankrozenetsi
Nov 12, 2014, 4:54 PM
21 Posts

SHA-2 and kyrtool

  • Category: Administration
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: kyrtool sha-2 ssl
  • Replies: 3

I am trying to install a SHA-2 certificate for our Domino 9.0.1FP2IF1 (HF384)

Following the guide at http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool and when I get to the verify section 5b I get the following output

C:\Program Files\IBM\Lotus\Notes>kyrtool ="c:\Program Files\IBM\Lotus\Notes\notes.ini" verify "c:\Program Files\IBM\Lotus\Notes\ssl\serverall.txt"


        KyrTool v1.0

Successfully read 2048 bit RSA private key
INFO: Successfully read 3 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
WARNING: Final certificate in chain is not self-signed

In the file serverall.txt first is the private key then the certificate and last the trusted roots. I have tried changing the order of the keys in serverall.txt but I get even more errors. I get the same error when I remove the trusted roots from serverall.txt.

Any ideas?

~Tanita Desweverobu
Nov 12, 2014, 5:56 PM
94 Posts
That is a warning, not an error
Some third party CAs will not send you their self-signed root certificate on the assumption that all of your clients are web browsers who already have their root certificate pre-installed.  If this is the case, then you should be able to operate successfully without that final self-signed root certificate.

Some clients will operate better if your server can send the entire certificate chain, including the final self-signed root. If your server falls into this category, then you should acquire the third party CA's root certificate off their web site and append it to the end of your "serverall.txt" file. That will make the final WARNING message go away.
~Bella Xankrozenetsi
Nov 13, 2014, 8:52 AM
21 Posts
I think I solved it

Thank you,

I tried to import the certificates one by one with the kyrtool.

First the private key followed by the two intermidiate trusts and last the certificate itself. They all where imported succesfully and the site now presents itself as secure when you browse to it.

Commands:

kyrtool import keys

kyrtool import roots

kyrtool import certs

ref: http://www-10.lotus.com/ldd/dominowiki.nsf/page.xsp?documentId=DF9FD827D1E2BC1A85257D850077FCAD&action=openDocument&mode=original

~Anita Minasterings
Nov 18, 2014, 11:08 AM
90 Posts
That was my approach, a few questions for you?
I also have the Rapid SSL. Did you find a set of intermediate certs. that were all SHA-2? When I go to http://ssllabs.com/ssltest I get downgraded since one of my RapidSSL certs was SHA-1.

Also, not sure if you imported the top level root or not. I did the first time and got some warnings so I repeated the import of the roots with only the two intermediates and that worked fine.


Howard

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal