Workaround for startssl and Domino【转】

Hi,

I don’t know if you still need it but here is my workaround to get a StartSSL free certificate in Domino.

I use OpenSSL on my Linux server to create a new certificat(证明):
Here are the command I used to create a key and a csr file:
* openssl genrsa -des3 -out keyfile.key 2048

* openssl req -new -key keyfile.key -out request.csr (Answer the usual question)

------kefile.key/request.csr

Ask the certificate at startssl with the CSR file.

-------request.csr-->cert.crt

With your new cert file, you have to create a PKCS (.p12) key file using openssl:

* openssl pkcs12 -export -in cert.crt -inkey keyfile.key -out cert.p12

-----cert.crt+kefile=cert.p12

Create a new keyring (.kyr) file, using the certsrv.nsf database using the SAME information from the linux certificate.

Import the StartSSL Root certificate into the key ring file:
Get the "ca.pem" certificate and Merge it into your kyr file.
Get the "Sub Class 1" certificate and Merge it into your kyr file.

Now the tricky  part… 

To import the .p12 file into a Domino keyring, you need GSK5-iKeyMan(DOWNLOAD)
(This tool might not work in Windows Vista and newer OS, it’s working in 2003)

• Extract the gsk5-ikeyman.zip file into a directory that has no spaces in the name
• Start the command line shell (cmd), change directory to the directory where you extracted gsk5.
• Execute the following command: gskregmod.bat Add
• Run IKeyman by executing: runikeyman.bat
• Open the keyfile.kyr file that we created earlier and enter the keyring password.
• Select Personal certificates and click Import
• Select the certificate file (.p12) and enter the certificate's password.

Shutdown (关机)  IKeyman and copy the keyfile.kyr and matching keyfile.sth to your  Domino   server's data directory.

Configure your Domino server to use this keyring file and  restart   the http task (or restart domino).

*** Weird thing… 

When I tried to Import my “www.mydomain.com” PKCS key into my keyring, I got a bad p12 certificat(证明) error from gsk5. Everything went well with my 3 other “test” keyring. To test my keyring, I imported my “test.p12” file into my “www” keyring and it worked. I then retry  to import my “www.p12” into the keyring and it was now ok. I removed the “test” certificate from the keyring. I noticed that my “www.crt” was not the same size as my test.crt file… maybe something is missing in the www one!!!!

(I hope I’m clear enough ;-)

With this procedure, I can even import any of my existing certificates into a keyring.

Have a nice free SSL testing!!! :-)

Pat

Feedback number  WEBB8H8UMU  created by  on  2012-12-13