Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Daniel Nashed's Blog

How to create exportable TLS Credentials with Domino 12.0.1

Daniel Nashed  25 November 2021 06:59:57

CertMgr Domino 12.0.1 introduces export/import functionality. You can import existing PEM, PKCS12 and kyr files.
If you mark them to be exportable during import or create an exportable key, you can export it later.
This works with manual and also ACME (Let's Encrypt) flows.

How does this work?

In Domino 12.0 the certstore.nsf introduced a secure encryption for private keys with the CertMgr server and all servers listed in "Servers with access".
The internal format is PEM. But it can be only decrypted for the configured servers -- The private key cannot be exported!

In Domino 12.0.1 an exportable key can be created or imported.
This private key is stored separately in encrypted PEM format (exportable key field in Security/Keys tab).
The PEM private key is encrypted with AES 256 using a pass phrase.
A secure password/pass phrase is required for all create and export operations.

The export functionality supports PEM and PKCS12. Both are using up to date AES 256 encryption.

Note: Some older applications (specially Java) are not supporting those more modern formats.
There is a notes.ini parameter to switch back to the the older,less secure encryption via notes.ini PKCS12_EXPORT_LEGACY=1.
This notes.ini parameter would be needed on the client for a legacy export.

By the way: OpenSSL 3.0 comand-line also uses the same new encryption by default. And if you try to export/convert with OpenSSL 3.0 you need a -legacy option.

Example:

The new functionality is only available if you have a Notes 12.0.1 client installed. The functionality is implemented in the template in combination with a new C-API call in the Notes client.

Let's create a private key and use it in a manual flow.

1. The private key is created and encrypted in internal format to be used by the CertMgr server and the "Servers with access". and also with an encrypted exportable PEM formatted key.
You can create RSA or ECDSA keys in the same way.


Image:How to create exportable TLS Credentials with Domino 12.0.1


2. Now that the key is created in an exportable format, you can either use it in an ACME flow.
Or you can use it in a manual flow as shown below.

When you switch to manual, CertMgr creates a CSR, when you submit the request.


Image:How to create exportable TLS Credentials with Domino 12.0.1


3. Once the operation completes, you find the CSR in the TLS Credentials document.
A "Copy CSR" action shows up to allow to copy the CSR to the CA of your choice.

4. When your CA signed the request, you can paste the certificate using the "Paste Certificate" action and "submit" the request again.
Before submitting the request make sure to select the servers which should be able to use the new TLS Credentials document.

--------

The pasted certificate should contain the leaf certificate and all intermediate or root certificates, which are not in the certstore.nsf trust roots list.
In case the root and intermediate certificates are among the trusted roots, the chain is automatically completed!

This also works if your certificate list is not sorted in "leaf" to "root" order!
Also duplicated or not matching intermediate certs are filtered out automatically.

The logic finds the leaf certificate for your private key and can handle the certificate chain for you.
This auto chain completion and sorting functionality is already available in Domino 12.0 and now also works with the new export/import functionality.


Image:How to create exportable TLS Credentials with Domino 12.0.1


After submitting the request your ready to use TLS Credentials document should look like this.

Image:How to create exportable TLS Credentials with Domino 12.0.1


The TLS Cache introduced in Domino 12.0 will automatically detect new or updated TLS Credentials and reloads the cache.

Additional tip: In Domino 12.0.1 you can check loaded TLS Credentials via

load certmgr -showcerts



Conclusion

The export/import functionality completes the existing functionality and is a great improvement in Domino 12.0.1.

The C-API call used in the template is in a script lib and could be used for own integration projects.
The call also uses the auto chain completion and auto chain sorting!
Comments

1Jesper Kiaer  29.11.2021 14:20:47  How to create exportable TLS Credentials with Domino 12.0.1

Sounds great!

Say if I use Nginx as a Reverse Proxy in front of Domino, can I then use this export feature for exporting Let's Encrypt certificates to the Nginx server? (via the c-api)

2Daniel Nashed  29.11.2021 21:39:32  How to create exportable TLS Credentials with Domino 12.0.1

Hi Jesper,

yes specially with wild card certs using it with a reverse proxy makes a lot of sense.

If you use a ACM HTTP-01 for example, you need to make sure the challenge can pass the proxy server.

And you only need to export the private key once. when you renew the certificate, you can just use the existing key on NGINX and just replace the certificate -- if the key stays the same.

CertMgr keeps the private key the same unless you request a key rollover -- which is also supported with the ACME flow.

I have posted earlier how you can use openssl or similar tools to get the certificate from a HTTPS connection. The certificate is public and you don't need to run any direct access to cerstore.nsf from outside to get the certificates ;-)

-- Daniel

3Jesper Kiaer  30.11.2021 8:43:50  How to create exportable TLS Credentials with Domino 12.0.1

Great! :-)

Looking forward to test it

Recent Entries

Feeds

Links

    Archives

    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]