Blog

Our News/Articles/Opinions/Technotes from the world of HCL Digital Solutions

Can I use a pre-existing SSL certificate with Domino?


Here’s a common problem that comes up and the documentation on it is pretty non-existent (or more accurately the information is out there but not Domino specific so you really have to know what you’re doing to get it done).


An organisation has purchased a SSL certificate, often a wildcard cert. Something like *.mycompany.com.  They use it on other non-Domino web services.  Can you use the same cert in Domino (without creating a csr and re-keying the cert)?


The short answer, yes.

Here’s the bluffers guide on how to do it.

There’s two scenarios here:


1.  [This is the easiest scenario to deal with] Whoever has access to the cert provides you with the SSL cert and an unencrypted private .key file.  You can proceed from step 5 here (as if you created the .key file yourself and created a csr). You may need to get the Root and Intermediary certs yourself, which I’ve posted helpful instructions on here.

2. [This is the most likely scenario in my experience].  Whoever has access to the cert provides you with a pfx file and a password.  The pfx file stores the cert and an encrypted version of the private key (used to create the csr that the cert was created from).

To deal with this:-

Put the pfx file in a directory (eg c:\extract\)


We assume you already have openssl installed (if not get it here).  You open a command prompt and navigate to the bin directory wherever openssl is installed


cd C:\OpenSSL-Win64\bin (or something like c:\program files\OpenSSL-Win64\bin)


The first command to run is:

openssl pkcs12 -in c:\extract\secure.pfx -nocerts -out c:\extract\encrypted.key

you will be prompted for the password of the pfx file first. (It actually says “Import Password”).

Then, you’re prompted for a passphrase to add to the the encrypted version of the private key you’re just about to create. (that sounds more complicated than it is – it’s just asking you to make up a passphrase, you’ll need it in the next step and likely never again). It will tell you if you’ve been successful.


You’ll then need to decrypt that key with the following command


openssl rsa -in c:\extract\encrypted.key -out c:\extract\server.key

You will be prompted for the passphrase you just created above.


Next you can extract the SSL cert with the following:


openssl pkcs12 -in c:\extract\secure.pfx -clcerts -nokeys -out c:\extract\site.crt

You’ll be prompted for the password of the pfx file.

You should now have the (unencrypted) key file (server.key) and the SSL cert (site.crt). If you need the Root and Intermediary certs you can follow this.

You can then proceed to step 5 in the default instructions for creating a keyring file for a Third Party certified SSL cert.

It’s easy when you know how.

Cormac McCarthy – Domino People Ltd

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>