Sharing a common SSL certificate with Apache

Posted on 2005-05-12
Last Modified: 2013-12-18
Our primary web server runs Apache. Our SSL certificate was due for renewal, and I have requested a wildcard certificate that (theoretically) can be used on all servers in our domain.  In order to do so, I used openssl on the Apache box to generate a .key keyfile and a .csr signing request which I have passed on to our Certificate Authority.

What I now want to do is use that same key to protect SSL'd IMAP and webmail connections to our Domino servers.  However, Domino requires its SSL keys in a .kyr keyring.

So, my question is: how do I go about converting/merging my existing .key and the signed certificate (when it arrives) into a keyring usable on our Domino servers?

(I've made this a 500-pointer because our existing certificate expires this weekend!)
Question by:JEtkins
    LVL 31

    Expert Comment

    Domino does not support wildcards in the keyring.

    Author Comment

    Thanks for that link, but I think IBM's wording is a little misleading.  

    They say "Domino cannot use Wildcard SSL certificates," but I have demonstrated that to be untrue.  Domino can indeed use a wildcard certificate, ***as long as you use its own Server Certificate Admin tool to generate the keypair.***  I generated a self-signed * certificate using Server Certificate Admin, and my Domino servers are happy to use it.  I can even generate a CSR for it.

    What I CANNOT do, it seems, is export that key so that I can install it on a non-Domino server, or import a non-Domino key into a Domino keyring, using Lotus' supplied tools.  So I would have to generate two separate * CSR's - one for my Domino boxes and one for my apache boxes - which partially defeats the purpose of a wildcard certificate.

    Given that SSL is an open standard, I was hoping that there would be a third-party tool that would enable me to export/import from a keyring, but that's eluding me.  Is Lotus' keyring a proprietary implementation?
    LVL 31

    Accepted Solution

    Well, that's EXACTLY why it is unsupported in DOmino, because the whole point of a wildcard cert is that you have to create duplicate keys across all yuor servers, which implies that either:

    1) every single server is just using a copy of teh same key file (which only works if they all use a common keyring format)


    2) that one key file can serve as a source, export its key pair, and all other key files can import that key

    #1 is out because Apache can't use Domino .kyr files and Domino can't use Apach .key files.

    #2 is out, because as IBM says, DOmino doesn't support import/export fo the keys, which effectively means it does not support sharing keys with any other key file format, which finally means that you can't do wildcards with Domino.  You are correct that Domino can use an SSL cert that has a wildcard leading the host name, but that isn't really wildcard cert support until it can export the key for use with another srver and/or import the key from another server, so that they can both use the same key certification from the CA.

    Author Comment

    Well I guess we'll have to agree to disagree.  Where we apparently do agree is that I can use Domino to generate and certify a * wildcard keypair, and I can then take that .kyr/.sth file pair and use it on any of my Domino servers.  Website visitors will never see a "certificate does not match hostname" warning, and that to my mind is wildcard certificate support.  

    So I guess what I was hoping for (nay, expecting) was the ability to share a /keypair/ with a non-Domino server, but as that IBM document makes plain, /that/ is unsupported.  The fact that this has been an issue since R5 and there are no plans to address it, tends to belie IBM's stated support of open standards.  Oh well.
    LVL 31

    Expert Comment

    Sorry to tip your boat, but the format of the keyring file is not a standard anywhere.

    If you must have this, you can use the built-in support for using the IS HTTP stack instead of the built-in Domino HTTP stack, in which case, you can push the wildcard cert into IIS, and Domino does not need to support it directly for the same benefit.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
    Article by: Rob
    Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now