Search This Blog

Tuesday, December 6, 2011

Moving an IIS SSL certificate to a Domino Keyring File
Today I had a support call from a customer who had bought an SSL certificate from Verisign to cover their entire domain.  Verisign had issued the certificate and it had been applied to their existing IIS servers however they now wanted to use it on their Domino web server as well. The scope of the certifier covered the Domino server (same wildcard domain) but Verisign wouldn't process another request from a Domino keyring file as they had already issued the key in response to the IIS request.  They agreed to cancel the IIS certificate and issue a new one for Domino but according to their tech support

"the use of the wildcard domain covers you for up to 10 servers so long as you can copy the same certificate between the servers.  As Domino and IIS are incompatible you have to buy a new certificate"

Well that seemed like a gyp so I decided to prove it could be done.  With the help of some related IBM technotes this is what I did to get it working.  

  1. Created an exported pfx file from IIS
  2. Went to a domino server and from a prompt found the directory  \domino\jvm\bin directory and ran the file "ikeyman" within it
  3. Created a new Key DB file by browsing to the IIS exported pfx file and importing it as PKCS
  4. Examined the imported certificate and noted the certificate settings such as Organisation, OU, L etc
  5. Closed ikeyman
  6. Created a new key ring file using the Secure Certificate Admin db on Domino
  7. Gave it the exact same settings as the original IIS certificate noted down in step 4.
  8. Installed the trusted root certificate into the key ring file
  9. Copied the .kyr and .sth files to the server where ikeyman ran and where the PKCS file generated in step 3 was located
  10. Downloaded gsk version of ikeyman to handle Domino key ring files from here
  11. Extracted zip file to folder 'gsk' on server (folder can be called anything but no spaces)
  12. Ran "gskregmod.bat Add" from command prompt within extracted folder
  13. Launched the ikeyman from dos prompt in the newly extracted folder by typing "runikeyman.bat"
  14. Chose Key Database File - Open and selected the kyr file I copied to the server in step 9
  15. Go to Personal Certificates and click 'Import' then choose 'PKCS' and import the file generated in step 3

You should now have a .kyr file that contains the certificate and can be copied back to your destination Domino server along with its .sth file.

1 comment:

  1. Wildcard SSL certificate from P12/PFX file into Domino

    I did some documentation and a checklist on how to do this at my company blog.

    Maybe that could help you out, here is the link: