Domino AppDev Pack

1.0.14

Create your Internal Certificate Authority

The instructions below explain how to create your own certificate authority so that you can issue client and server certificates where needed. We use a commonly available tool, called openssl, to create the root certificate and later to create additional certificates.

Create the private key

Use the following command to create the CA's private key:

c:\certs>openssl genrsa -passout pass:1234 -des3 -out internalca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................................................................................................++++
..++++
e is 65537 (0x010001)

The command creates the file called internalca.key which contains the private key that uses 4096 bits and is password protected with the password: 1234. Change the password as needed.

Create the Self-signed certificate

Use the following command to generate the CA's certificate. The certificate will be self-signed.

c:\certs>openssl req -passin pass:1234 -new -x509 -days 2000 -key internalca.key -out internalca.crt -subj "/O=Jumbo Cloud Services/CN=Internal Certificate Authority" -sha256

The command creates the file called internalca.crt which contains the self-signed certificate based on the private key created above. At this time we also provide these key pieces of data:

  • Subject Name: (-subj "/O=Jumbo Cloud Services/CN=Internal Certificate Authority"). This is the name of the certificate authority. Change as needed to reflect the name of your organization.
  • Expiration: (-days 2000). This is number of days before the certificate expires.
  • Password: (-passin pass:1234). This is the password that protects the private key.

Inspect the certificate

Use the following command to show the contents of your certificate. This command will work for any certificate, not just the internal CA.

c:\certs>openssl x509 -in internalca.crt -text -noout -certopt no_pubkey,no_sigdump
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:5b:ec:eb:9e:b9:3e:39:35:86:a3:b1:98:89:be:9c:67:8a:77:b0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Jumbo Cloud Services, CN = Internal Certificate Authority
        Validity
            Not Before: Nov 25 13:17:45 2019 GMT
            Not After : May 17 13:17:45 2025 GMT
        Subject: O = Jumbo Cloud Services, CN = Internal Certificate Authority
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                87:F6:15:6C:2B:A7:E9:EB:B0:1E:52:21:23:13:52:73:EF:63:6F:AC
            X509v3 Authority Key Identifier:
                keyid:87:F6:15:6C:2B:A7:E9:EB:B0:1E:52:21:23:13:52:73:EF:63:6F:AC

            X509v3 Basic Constraints: critical
                CA:TRUE

Note:

It has been observed that RSA private keys (PKCS#1) generated using 'step-ca' (smallstep) does not work for Java-domino-db with error as connection refused and server console shows error message as: 'OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE'.

In such scenarios, one needs to convert the PKCS#1 keys to PKCS#8 keys with the OpenSSL command: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in <pkcs#1.key> -out <pkcs#8.key>

Using the PKCS#8 private key will resolve the said issue.

About administration

It is important to keep the private key for the Internal Certificate Authority a secret. The person(s) that know the password to the CA private key can generate signed certificates from the certificate authority for any purpose. Larger organizations may have a different administrator than the administrators that create the certificate signing requests.

InstallationConfigure the server key and certificate