• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1740
  • Last Modified:

Sharing a common SSL certificate with Apache

Our primary web server runs Apache. Our SSL certificate was due for renewal, and I have requested a wildcard certificate that (theoretically) can be used on all servers in our domain.  In order to do so, I used openssl on the Apache box to generate a .key keyfile and a .csr signing request which I have passed on to our Certificate Authority.

What I now want to do is use that same key to protect SSL'd IMAP and webmail connections to our Domino servers.  However, Domino requires its SSL keys in a .kyr keyring.

So, my question is: how do I go about converting/merging my existing .key and the signed certificate (when it arrives) into a keyring usable on our Domino servers?

(I've made this a 500-pointer because our existing certificate expires this weekend!)
0
JEtkins
Asked:
JEtkins
  • 3
  • 2
1 Solution
 
qwaleteeCommented:
Domino does not support wildcards in the keyring.

http://www-1.ibm.com/support/docview.wss?uid=swg21143294
0
 
JEtkinsAuthor Commented:
Thanks for that link, but I think IBM's wording is a little misleading.  

They say "Domino cannot use Wildcard SSL certificates," but I have demonstrated that to be untrue.  Domino can indeed use a wildcard certificate, ***as long as you use its own Server Certificate Admin tool to generate the keypair.***  I generated a self-signed *.mycompany.com certificate using Server Certificate Admin, and my Domino servers are happy to use it.  I can even generate a CSR for it.

What I CANNOT do, it seems, is export that key so that I can install it on a non-Domino server, or import a non-Domino key into a Domino keyring, using Lotus' supplied tools.  So I would have to generate two separate *.mycompany.com CSR's - one for my Domino boxes and one for my apache boxes - which partially defeats the purpose of a wildcard certificate.

Given that SSL is an open standard, I was hoping that there would be a third-party tool that would enable me to export/import from a keyring, but that's eluding me.  Is Lotus' keyring a proprietary implementation?
0
 
qwaleteeCommented:
Well, that's EXACTLY why it is unsupported in DOmino, because the whole point of a wildcard cert is that you have to create duplicate keys across all yuor servers, which implies that either:

1) every single server is just using a copy of teh same key file (which only works if they all use a common keyring format)

    or

2) that one key file can serve as a source, export its key pair, and all other key files can import that key

#1 is out because Apache can't use Domino .kyr files and Domino can't use Apach .key files.

#2 is out, because as IBM says, DOmino doesn't support import/export fo the keys, which effectively means it does not support sharing keys with any other key file format, which finally means that you can't do wildcards with Domino.  You are correct that Domino can use an SSL cert that has a wildcard leading the host name, but that isn't really wildcard cert support until it can export the key for use with another srver and/or import the key from another server, so that they can both use the same key certification from the CA.
0
 
JEtkinsAuthor Commented:
Well I guess we'll have to agree to disagree.  Where we apparently do agree is that I can use Domino to generate and certify a *.mycompany.com wildcard keypair, and I can then take that .kyr/.sth file pair and use it on any of my Domino servers.  Website visitors will never see a "certificate does not match hostname" warning, and that to my mind is wildcard certificate support.  

So I guess what I was hoping for (nay, expecting) was the ability to share a /keypair/ with a non-Domino server, but as that IBM document makes plain, /that/ is unsupported.  The fact that this has been an issue since R5 and there are no plans to address it, tends to belie IBM's stated support of open standards.  Oh well.
0
 
qwaleteeCommented:
Sorry to tip your boat, but the format of the keyring file is not a standard anywhere.

If you must have this, you can use the built-in support for using the IS HTTP stack instead of the built-in Domino HTTP stack, in which case, you can push the wildcard cert into IIS, and Domino does not need to support it directly for the same benefit.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now