I've just installed the new fix on my ibm traveler server.

Requested a new certificate with 4096 keys imported to the keyfile but stil no luck.

Followed this guidelines http://www-01.ibm.com/support/docview.wss?uid=swg21418982

Sorry I probably didn't install the latest interim fix but the normal fix pack.

With the interim fix tls works!

I'm attempting to follow the instructions but am stumped at next steps re: CSR. I'm used to using the old certificate request database (no CA running) to create keyring, copy CSR, merge, etc. Am I correct in assuming that SHA-2 support requires the CA process? I'm at step #23 (see 2nd link below) where it mentions copying the Request ID. This is not the CSR, correct? The # is way to short in comparison with past CSRs. Is the Request ID the same as the Pickup ID (assuming yes)? At this stage, it seems (including CAP process and active Internet Certifier) that all is 100% to proceed. Step #24 (While still in the Certificate Requests database, choose "Domino Key Ring Management" then "Pickup Key Ring Certificate.") makes it seem like it's a self-signed or something. I need to generate a new CSR for the 3rd party re-key. What am I missing? Is this where I need to use the KYRTOOL that was placed in the Notes program directory? If so, why did I create the keyring using the instructions in the 2nd link? Any assistance appreciated. Is the CA process even needed?

***update: I see a link re: 3rd-party CA but this seems to require openssl. Can you use OpenSSL for Windows (instructions are for Linux variants)? Since I have generated a keyring using Domino's CA and the certreq.nsf (listed as an option http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring), I'm hoping the KYRTOOL and OpenSSL are not needed. I just cannot figure out the next step re: CSR generation for the 3rd-part CA. Also, just in case, I did select SHA-512 when creating the new Internet Certifier.

http://www-01.ibm.com/support/docview.wss?uid=swg21418982

http://www-01.ibm.com/support/docview.wss?uid=swg21193730

Dave,

Thanks for your response. I completed step #26 (link below) " When a "Merge Signed Certificate Confirmation" dialog box appears, verify the information and click OK. A "Certificate received into key ring" confirmation box should appear. Click OK." and the next step is copying the KYR/STH files to the server's data directory. I'm used to this step being after merging the 3rd-party certificate bundle into the KYR. From your posting, it sounds like these are 2 separate keyring files (one for the company Internet Certifier - created with CA) and the 2nd via OPENSSL/KYRTool for the actual HTTP domain used by the Domino web server. Is this correct?

***Also, any idea why I'm getting "The application is unable to start correctly (0xc000007b)..." when attempting to launch the KYRTool from the command line? I just copied the executable to the program directory. Were there other files?

http://www-01.ibm.com/support/docview.wss?uid=swg21193730


 

Dave, thanks for your continued support. I'm still encountering issues running the kyrtool. I unzipped in my Notes program folder. It creates a "kyrtool" folder with Linux32, Linux64, w32, w64, etc. The command below yields the "The application is unable to start correctly (0xc000007b)..." error. When I try from the w32 folder, it cannot find the nnotes,dll even though the location (C:\Program Files (x86)\IBM\Lotus\Notes) is confirmed. What am I doing wrong?

C:\Program Files (x86)\IBM\Lotus\Notes\kyrtool\w64> kyrtool =C:\Program Files (x86)\IBM\Lotus\Notes\notes.ini create -h

***I have tried without the "create" command and even attempted placing kyrtool.exe in the root program directory. My client has been upgraded to the latest level (9.0.1.2 with IF). I wouldn't think this matters re: just executing from the command line. 

 

Jochen,

Thanks, I'll try again. I initially placed the kyrtool.exe file in the program folder w/o success. I kept getting the 0xc0000007b error. I ran as administrator, etc. The wiki mentions extracting the ZIP file in the program directory. This creates the subfolders, of course. I'm using Windows 7 Professional. I'm assuming you're just launching from a CMD window. This seems so simple, not certain why I'm encountering problem. I'm wondering whether my A/V or some other program is interfering. I might boot into safe mode or something to isolate other applications on my end.

Best regards,
Michael

Michael -- Try using the 32-bit version of kyrtool.exe (located in the kyrtool\w32 folder of the kyrtool.zip file).  I can duplicate the error message you receive when I try the 64-bit version.

Richard

Richard,

Update: I'm just wondering how many people are using the internal (Domino) CA vs. a 3rd party. I have always gone with 3rd party SSL certificates when external users accessed. If internal only and using LAN or VPN connection, I could see using the Domino CA process. What about internal users only accessing from the Internet? Would a keyring with certificate issued by the Domino CA be acceptable for internal users accessing a site? I just want to make sure there are no issues (e.g. Traveler, etc.).

Thanks, I'm certain I tried the 32-bit version earlier. It worked this time. I might have only attempted execution from w32 folder vs. directly in the program directory. When I copied to the program folder, it worked. There's definitely an issue with the 64-bit version.

Regards,
Michael

Michael --

You're welcome.

Would a keyring with certificate issued by the Domino CA be acceptable for internal users accessing a site?

Absolutely.

I'm just wondering how many people are using the internal (Domino) CA vs. a 3rd party. I have always gone with 3rd party SSL certificates when external users accessed. If internal only and using LAN or VPN connection, I could see using the Domino CA process. What about internal users only accessing from the Internet?

If "external users" means the general public then it may make more sense to use third-party certificates instead of managing your own. But if your target audience is under your control (regardless of whether or not they access your servers internally or from the internet) as long as they're all able/willing to install your certificates, it probably makes better economic sense to create, manage and distribute your own (as Dave Kern from IBM points out in this thread). Domino is powerful enough to do this already so why pay a third party to do what you can do yourself at no additional cost?

Richard

Beyond the already known SMTP problem (I have a PMR open on that) I found more problems:

After creating a new SHA-256 certificate for a Domino 9.0.1 FP2 IF2 server with 4096 (!) bits key length I found that both DIIOP and LDAP were no longer accessible via their SSL/TLS ports but HTTPS, IMAPS and SMTPS/STARTTLS were working. I could connect and retrieve the certificate successfully using a command line openssl client from these three ports but not from LDAPS and DIIOPS. Also, DIIOP gives an error message about not being able to load a certificate from a temporary file while starting. The file with the reported name briefly exists in the temp directory but is very quickly deleted again.

After creating yet another new SHA-256 based keyring with a 2048 bits key, LDAPS and DIIOPS were also accessible via openssl check again. However, I can still not really interact with, for example, the command line ldapsearch tool from my Notes client with the LDAPS service. I have no quick check tool available for DIIOPS ... also, DIIOP still gives the error message at startup about not beeing able to load from that temporary file.

It could well be that at least LDAPS has a similar SSL/TLS negotiation problem like SMTPS/STARTTLS.