JEtkins
asked on
Sharing a common SSL certificate with Apache
Our primary web server runs Apache. Our SSL certificate was due for renewal, and I have requested a wildcard certificate that (theoretically) can be used on all servers in our domain. In order to do so, I used openssl on the Apache box to generate a .key keyfile and a .csr signing request which I have passed on to our Certificate Authority.
What I now want to do is use that same key to protect SSL'd IMAP and webmail connections to our Domino servers. However, Domino requires its SSL keys in a .kyr keyring.
So, my question is: how do I go about converting/merging my existing .key and the signed certificate (when it arrives) into a keyring usable on our Domino servers?
(I've made this a 500-pointer because our existing certificate expires this weekend!)
What I now want to do is use that same key to protect SSL'd IMAP and webmail connections to our Domino servers. However, Domino requires its SSL keys in a .kyr keyring.
So, my question is: how do I go about converting/merging my existing .key and the signed certificate (when it arrives) into a keyring usable on our Domino servers?
(I've made this a 500-pointer because our existing certificate expires this weekend!)
ASKER
Thanks for that link, but I think IBM's wording is a little misleading.
They say "Domino cannot use Wildcard SSL certificates," but I have demonstrated that to be untrue. Domino can indeed use a wildcard certificate, ***as long as you use its own Server Certificate Admin tool to generate the keypair.*** I generated a self-signed *.mycompany.com certificate using Server Certificate Admin, and my Domino servers are happy to use it. I can even generate a CSR for it.
What I CANNOT do, it seems, is export that key so that I can install it on a non-Domino server, or import a non-Domino key into a Domino keyring, using Lotus' supplied tools. So I would have to generate two separate *.mycompany.com CSR's - one for my Domino boxes and one for my apache boxes - which partially defeats the purpose of a wildcard certificate.
Given that SSL is an open standard, I was hoping that there would be a third-party tool that would enable me to export/import from a keyring, but that's eluding me. Is Lotus' keyring a proprietary implementation?
They say "Domino cannot use Wildcard SSL certificates," but I have demonstrated that to be untrue. Domino can indeed use a wildcard certificate, ***as long as you use its own Server Certificate Admin tool to generate the keypair.*** I generated a self-signed *.mycompany.com certificate using Server Certificate Admin, and my Domino servers are happy to use it. I can even generate a CSR for it.
What I CANNOT do, it seems, is export that key so that I can install it on a non-Domino server, or import a non-Domino key into a Domino keyring, using Lotus' supplied tools. So I would have to generate two separate *.mycompany.com CSR's - one for my Domino boxes and one for my apache boxes - which partially defeats the purpose of a wildcard certificate.
Given that SSL is an open standard, I was hoping that there would be a third-party tool that would enable me to export/import from a keyring, but that's eluding me. Is Lotus' keyring a proprietary implementation?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well I guess we'll have to agree to disagree. Where we apparently do agree is that I can use Domino to generate and certify a *.mycompany.com wildcard keypair, and I can then take that .kyr/.sth file pair and use it on any of my Domino servers. Website visitors will never see a "certificate does not match hostname" warning, and that to my mind is wildcard certificate support.
So I guess what I was hoping for (nay, expecting) was the ability to share a /keypair/ with a non-Domino server, but as that IBM document makes plain, /that/ is unsupported. The fact that this has been an issue since R5 and there are no plans to address it, tends to belie IBM's stated support of open standards. Oh well.
So I guess what I was hoping for (nay, expecting) was the ability to share a /keypair/ with a non-Domino server, but as that IBM document makes plain, /that/ is unsupported. The fact that this has been an issue since R5 and there are no plans to address it, tends to belie IBM's stated support of open standards. Oh well.
Sorry to tip your boat, but the format of the keyring file is not a standard anywhere.
If you must have this, you can use the built-in support for using the IS HTTP stack instead of the built-in Domino HTTP stack, in which case, you can push the wildcard cert into IIS, and Domino does not need to support it directly for the same benefit.
If you must have this, you can use the built-in support for using the IS HTTP stack instead of the built-in Domino HTTP stack, in which case, you can push the wildcard cert into IIS, and Domino does not need to support it directly for the same benefit.
http://www-1.ibm.com/support/docview.wss?uid=swg21143294