Proton and LDAP will use the same server certificate. Both services run on the same machine and use the same hostname, therefore they can share the same key. You can use a different server certificate for each service, though.
- create the private key
- create the certificate signing request
- sign the certificate request (a separate administrator may do this task)
- import the key into a domino keystore
- configure the keystore in domino
Create private key
Use the following command to create the server's private key. The command is similar to the one used to create the CA's private key:
c:\certs>openssl genrsa -passout pass:1234 -des3 -out appsdb1.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ............................................................................................++++ .......................++++ e is 65537 (0x010001)
This part of the command
-passout pass:1234 sets the password when writing the private key. Change as needed.
Create certificate signing request (CSR)
Use the following command to create the certificate signing request. This command makes a request to a certificate authority to sign your key without communicating the contents of your private key.
c:\certs>openssl req -passin pass:1234 -new -key appsdb1.key -out appsdb1.csr -subj "/O=Jumbo Cloud Servers/CN=appsdb1" -sha256
The command creates a file called
appsdb1.csr which is then sent to the certificate authority for signing.
This part of the command
-subj "O=Jumbo Cloud Servers/CN=appsbd1" is the subject name requested.
Sign the CSR
The Internal CA administrator performs the following steps to sign the CSR:
- create a temporary file containing certificate extensions to use in the signing operation.
- sign the CSR and generate the signed certificate.
Create temporary file to specify extensions
Create a temporary file that specifies:
- the Subject Alternate Name (SAN) for the certificate. The SAN specifies all the domain names and/or ip addresses that are secured by this certificate. In practical terms, the SAN specification must have all the host names or ip addresses that clients may use to connect to the services using this certificate. (reference)
- the Extended Key Usage that specifies the key may be used for server authentication. (reference)
In our example, the temporary file contains the following data. The name of the file is not important, but be sure to use the same file name on the next step where this file is used.
c:\certs>type appsdb1ext.txt subjectAltName=DNS:appsdb1.jumbocloudservices.com extendedKeyUsage=serverAuth
The host name is case-sensitive. In this example, a client cannot specify
APPSDB1.jumbocloudservices.com to connect to Proton because the case is
different than that specified in the SAN.
Sign CSR with extensions
Issue the following command to sign the CSR. The command provides two key pieces of data:
- The name of the temporary file containing the signing extensions:
- Certificate expiration:
c:\certs>openssl x509 -passin pass:1234 -req -days 500 -in appsdb1.csr -CA internalca.crt -CAkey internalca.key -out appsdb1.crt -CAcreateserial -CAserial ca.seq -extfile appsdb1ext.txt Signature ok subject=O = Jumbo Cloud Servers, CN = appsdb1 Getting CA Private Key
This operation creates the file
appsdb1.csr which contains the signed
Inspect the certificate
Issue the following command to inspect the certificate file
appsdb1.csr. Note that the output includes the following:
- The subject name for the certificate. The is the name requested in the CSR.
- The Internal CA as the signer of the certificate.
- The extension attributes for the SAN and key usage.
- The certificate validity dates
c:\certs>openssl x509 -in appsdb1.crt -text -noout -certopt no_pubkey,no_sigdump Certificate: Data: Version: 3 (0x2) Serial Number: 36:2d:f4:60:89:33:35:cc:27:1d:32:b8:cf:27:8c:b8:31:50:58:65 Signature Algorithm: sha256WithRSAEncryption Issuer: O = Jumbo Cloud Services, CN = Internal Certificate Authority Validity Not Before: Dec 4 20:09:02 2019 GMT Not After : Apr 17 20:09:02 2021 GMT Subject: O = Jumbo Cloud Servers, CN = appsdb1 X509v3 extensions: X509v3 Subject Alternative Name: DNS:appsdb1.jumbocloudservices.com X509v3 Extended Key Usage: TLS Web Server Authentication
You can remove the
-certopt no_pubkey,no_sigdump option to print the bytes
of the public key and signature.