Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Setting up the first server and Certifier with 4096 bit keys instead of 1024 bit

Daniel Nashed  21 September 2016 09:33:44
Today at AdminCamp I got the question how to register a first server and the organisational certifier with larger key size.
By detault the setup process is still using 1024bit -- I guess for compatibility.

There is a notes.ini setting that increases the key length for the organisation, server and first admin.id.

SETUP_FIRST_SERVER_PUBLIC_KEY_WIDTH=4096

You have to set this parameters in your first servers notes.ini before you start the server for the first tile to do the server setup.

-- Daniel




Comments

1Lars Berntrop-Bos  21.09.2016 15:28:31  Setting up the first server and Certifier with 4096 bit keys instead of 1024 bit

Thanks!

2Friedhelm Klein  26.09.2016 10:52:21  Setting up the first server and Certifier with 4096 bit keys instead of 1024 bit

It actually still happens sometimes that there are new customers, but I admit it is currently a rare case. However this information is important to existing cusomers as well, e.g. when you setup an extra domain for testing purposes, Traveler or Sametime.

Thanks to Daniel for the update to my AdminCamp session. I wonder what a setting of 4096 will do to the 1st Server and Admin, as they are restricted to 2048 Bits, only certifiers can be 4096 bit wide.

3David Kern  22.02.2017 1:43:25  Setting up the first server and Certifier with 4096 bit keys instead of 1024 bit

@Friedhelm - Servers and certifiers cannot (currently) be created with strengths above 2048 bits for performance reasons - you would need some truly impressive hardware to want to use 4096 bit RSA keys on a high traffic server. However, larger key sizes are supported - you just cannot create them with the current version of Notes/Domino. See the first line of the first table in this wiki page for details.

https://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino

4David Kern  22.02.2017 23:43:40  Setting up the first server and Certifier with 4096 bit keys instead of 1024 bit

Just FYI - the default key size for "first server setup" changed from 1024 bits to 2048 bits in 9.0.1 FP7.


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]