Domino AppDev Pack

1.0.14

Configure the server key and certificate

Proton and LDAP will use the same server certificate. Both services run on the same machine and use the same hostname, therefore they can share the same key. You can use a different server certificate for each service, though.

  • create the private key
  • create the certificate signing request
  • sign the certificate request (a separate administrator may do this task)
  • import the key into a domino keystore
  • configure the keystore in domino

Create private key

Use the following command to create the server's private key. The command is similar to the one used to create the CA's private key:

c:\certs>openssl genrsa -passout pass:1234 -des3 -out appsdb1.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
............................................................................................++++
.......................++++
e is 65537 (0x010001)

This part of the command -passout pass:1234 sets the password when writing the private key. Change as needed.

Create certificate signing request (CSR)

Use the following command to create the certificate signing request. This command makes a request to a certificate authority to sign your key without communicating the contents of your private key.

c:\certs>openssl req -passin pass:1234 -new -key appsdb1.key -out appsdb1.csr -subj "/O=Jumbo Cloud Servers/CN=appsdb1" -sha256

The command creates a file called appsdb1.csr which is then sent to the certificate authority for signing.

This part of the command -subj "O=Jumbo Cloud Servers/CN=appsbd1" is the subject name requested.

Sign the CSR

The Internal CA administrator performs the following steps to sign the CSR:

  1. create a temporary file containing certificate extensions to use in the signing operation.
  2. sign the CSR and generate the signed certificate.

Create temporary file to specify extensions

Create a temporary file that specifies:

  • the Subject Alternate Name (SAN) for the certificate. The SAN specifies all the domain names and/or ip addresses that are secured by this certificate. In practical terms, the SAN specification must have all the host names or ip addresses that clients may use to connect to the services using this certificate. (reference)
  • the Extended Key Usage that specifies the key may be used for server authentication. (reference)

In our example, the temporary file contains the following data. The name of the file is not important, but be sure to use the same file name on the next step where this file is used.

c:\certs>type appsdb1ext.txt
subjectAltName=DNS:appsdb1.jumbocloudservices.com
extendedKeyUsage=serverAuth

The host name is case-sensitive. In this example, a client cannot specify APPSDB1.jumbocloudservices.com to connect to Proton because the case is different than that specified in the SAN.

Sign CSR with extensions

Issue the following command to sign the CSR. The command provides two key pieces of data:

  • The name of the temporary file containing the signing extensions: -extfile appsdb1ext.txt
  • Certificate expiration: -days 500
c:\certs>openssl x509 -passin pass:1234 -req -days 500 -in appsdb1.csr -CA internalca.crt -CAkey internalca.key -out appsdb1.crt -CAcreateserial -CAserial ca.seq -extfile appsdb1ext.txt
Signature ok
subject=O = Jumbo Cloud Servers, CN = appsdb1
Getting CA Private Key

This operation creates the file appsdb1.csr which contains the signed certificate.

Inspect the certificate

Issue the following command to inspect the certificate file appsdb1.csr. Note that the output includes the following:

  • The subject name for the certificate. The is the name requested in the CSR.
  • The Internal CA as the signer of the certificate.
  • The extension attributes for the SAN and key usage.
  • The certificate validity dates
c:\certs>openssl x509 -in appsdb1.crt -text -noout -certopt no_pubkey,no_sigdump
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:2d:f4:60:89:33:35:cc:27:1d:32:b8:cf:27:8c:b8:31:50:58:65
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Jumbo Cloud Services, CN = Internal Certificate Authority
        Validity
            Not Before: Dec  4 20:09:02 2019 GMT
            Not After : Apr 17 20:09:02 2021 GMT
        Subject: O = Jumbo Cloud Servers, CN = appsdb1
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:appsdb1.jumbocloudservices.com
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

You can remove the -certopt no_pubkey,no_sigdump option to print the bytes of the public key and signature.

Create your Internal Certificate AuthorityConfigure the server keyring file