Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Creating Internal use X.509 Certs

Daniel Nashed  28 September 2019 13:58:30
For one of my test servers I needed a proper certificate. A self-signed cert works in many cases. But creating your internal CA has benefits. You can have the CA root trusted in your brwoser etc.
I needed a certificate for a local test server today and used the script I developed for the Docker project.

A while ago I updated the script to add also additional SANs (Subject Alternate Names) and it will also add the SANs to a CSR request if you use the script with an external CA.
Even when just generating a certificate with just a DNS name, this name also needs to be added to the SAN.
This was implemented from the beginning but now you can add more SANs.

After you configured the script, generating a proper certificate is just invoking this script.
The CA directory contains the CA root that you add to your browser afterwards.

Here is the example and here is the link to the script --> https://github.com/IBM/domino-docker/blob/develop/management/manage_certs.sh

The script creates the private key, generates the CSR, depending on the configuration the reuqest is signed and everything is merged together into a single PEM.
That PEM is imported into a matching keyring file -- if the kyrtool is installed and you are running as "notes".

-- Daniel

 ./manage_certs.sh "traveler-nashcom-loc" "/CÞ/O=NashCom/CN=traveler.nashcom.loc" "traveler.nashcom.loc,trav2.nashcom.loc,trav2.nashcom.loc"

(Using config file /local/cfg/certmgr_config)
Generating key [/local/certmgr/key/traveler-nashcom-loc.key]
Generating RSA private key, 2048 bit long modulus
...........................................+++
...+++
e is 65537 (0x10001)
Creating certificate Sign Request (CSR) [/local/certmgr/csr/traveler-nashcom-loc.csr]
Removing [/local/certmgr/pem/traveler-nashcom-loc_all.pem]
Signing CSR [/local/certmgr/csr/traveler-nashcom-loc.csr] with local CA
Signature ok
subject=/CÞ/O=NashCom/CN=traveler.nashcom.loc
Getting CA Private Key
Removing [/local/certmgr/csr/traveler-nashcom-loc.csr]

Keyfile /local/certmgr/kyr/traveler-nashcom-loc.kyr created successfully


Using keyring path '/local/certmgr/kyr/traveler-nashcom-loc.kyr'
Successfully read 2048 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

--------------------------------------------
 traveler-nashcom-loc -> OK
--------------------------------------------
 KeyLen       :  2048 bit
 Subject      :  /CÞ/O=NashCom/CN=traveler.nashcom.loc
 DNS NAME     :  traveler.nashcom.loc, DNS
 Valid Until  :  Sep 25 10:12:07 2029 GMT
--------------------------------------------

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]