Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Download certificate chain without OpenSSL

Daniel Nashed  11 September 2022 10:17:08

Usually OpenSSL is the tool of choice for all type of certificate operations.

But what if no OpenSSL command line is available? Like in a Domino container where you can't install software?

After some research, I came up with the keytool, which is part of the JVM Domino ships.


It turned even out to be an easier way to download the certificate chain with this command line:


/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -rfc -sslserver 127.0.0.1 > certs.pem


This example connects to the local server over port 443 (default) and loads the complete certificate chain.
The option -rfc is important to write the certificate in PEM format.


Without the -rfc option, you get all the details about the certificates in the chain instead:

/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -sslserver 127.0.0.1

Certificate #0

====================================

Owner: O=Automation MicroCA Certificate

Issuer: CN=DominoMicroCA, O=AutoTestLab

Serial number: 69e50f549cb8e0d294ad2c6a884778c0

Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Tue Sep 12 10:03:17 CEST 2023

Certificate fingerprints:

      SHA1: 4B:77:49:FB:95:3E:02:F5:8C:F7:C7:76:C1:F5:7F:EA:7B:60:CD:9C

      SHA256: 9E:E7:61:FA:D1:DA:57:AA:89:3F:A8:F8:F8:CB:69:D6:7F:DB:8A:18:C4:BB:01:2F:85:FD:1F:39:9B:69:8D:42

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 384-bit EC (secp384r1) key

Version: 3


Extensions:


#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

]


#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: automation.notes.lab

]



Certificate #1

====================================

Owner: CN=DominoMicroCA, O=AutoTestLab

Issuer: CN=DominoMicroCA, O=AutoTestLab

Serial number: 4afa2efe1b11b03f88fc34d76b3574a2

Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Mon May 26 10:03:17 CEST 2025

Certificate fingerprints:

      SHA1: 9C:B0:FD:60:25:B9:6D:8D:2C:F5:F3:CB:CF:F6:B8:73:EB:E9:22:EC

      SHA256: 7C:DA:2D:31:7A:7A:C9:B4:7B:24:36:0E:4F:A5:A6:81:D5:27:DB:45:57:03:59:61:2F:20:01:C0:BA:52:71:1B

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 384-bit EC (secp384r1) key

Version: 3


Extensions:


#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:true

PathLen:2147483647

]


#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

Key_CertSign

]


#3: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: automation.notes.lab

]

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]