Here’s a common problem that comes up and the documentation on it is pretty non-existent (or more accurately the information is out there but not Domino specific so you really have to know what you’re doing to get it done).
An organisation has purchased a SSL certificate, often a wildcard cert. Something like *.mycompany.com. They use it on other non-Domino web services. Can you use the same cert in Domino (without creating a csr and re-keying the cert)?
The short answer, yes.
Here’s the bluffers guide on how to do it.
There’s two scenarios here:
1. [This is the easiest scenario to deal with] Whoever has access to the cert provides you with the SSL cert and an unencrypted private .key file. You can proceed from step 5 here (as if you created the .key file yourself and created a csr). You may need to get the Root and Intermediary certs yourself, which I’ve posted helpful instructions on here.
2. [This is the most likely scenario in my experience]. Whoever has access to the cert provides you with a pfx file and a password. The pfx file stores the cert and an encrypted version of the private key (used to create the csr that the cert was created from).
To deal with this:-
Put the pfx file in a directory (eg c:\extract\)
We assume you already have openssl installed (if not get it here). You open a command prompt and navigate to the bin directory wherever openssl is installed
cd C:\OpenSSL-Win64\bin (or something like c:\program files\OpenSSL-Win64\bin)
The first command to run is:
openssl pkcs12 -in c:\extract\secure.pfx -nocerts -out c:\extract\encrypted.key
you will be prompted for the password of the pfx file first. (It actually says “Import Password”).
Then, you’re prompted for a passphrase to add to the the encrypted version of the private key you’re just about to create. (that sounds more complicated than it is – it’s just asking you to make up a passphrase, you’ll need it in the next step and likely never again). It will tell you if you’ve been successful.
You’ll then need to decrypt that key with the following command
openssl rsa -in c:\extract\encrypted.key -out c:\extract\server.key
You will be prompted for the passphrase you just created above.
Next you can extract the SSL cert with the following:
openssl pkcs12 -in c:\extract\secure.pfx -clcerts -nokeys -out c:\extract\site.crt
You’ll be prompted for the password of the pfx file.
You should now have the (unencrypted) key file (server.key) and the SSL cert (site.crt). If you need the Root and Intermediary certs you can follow this.
You can then proceed to step 5 in the default instructions for creating a keyring file for a Third Party certified SSL cert.
It’s easy when you know how.
Cormac McCarthy – Domino People Ltd
