Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Download certificate chain without OpenSSL

Daniel Nashed  11 September 2022 10:17:08

Usually OpenSSL is the tool of choice for all type of certificate operations.

But what if no OpenSSL command line is available? Like in a Domino container where you can't install software?

After some research, I came up with the keytool, which is part of the JVM Domino ships.


It turned even out to be an easier way to download the certificate chain with this command line:


/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -rfc -sslserver 127.0.0.1 > certs.pem


This example connects to the local server over port 443 (default) and loads the complete certificate chain.
The option -rfc is important to write the certificate in PEM format.


Without the -rfc option, you get all the details about the certificates in the chain instead:

/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -sslserver 127.0.0.1

Certificate #0

====================================

Owner: O=Automation MicroCA Certificate

Issuer: CN=DominoMicroCA, O=AutoTestLab

Serial number: 69e50f549cb8e0d294ad2c6a884778c0

Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Tue Sep 12 10:03:17 CEST 2023

Certificate fingerprints:

      SHA1: 4B:77:49:FB:95:3E:02:F5:8C:F7:C7:76:C1:F5:7F:EA:7B:60:CD:9C

      SHA256: 9E:E7:61:FA:D1:DA:57:AA:89:3F:A8:F8:F8:CB:69:D6:7F:DB:8A:18:C4:BB:01:2F:85:FD:1F:39:9B:69:8D:42

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 384-bit EC (secp384r1) key

Version: 3


Extensions:


#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

]


#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: automation.notes.lab

]



Certificate #1

====================================

Owner: CN=DominoMicroCA, O=AutoTestLab

Issuer: CN=DominoMicroCA, O=AutoTestLab

Serial number: 4afa2efe1b11b03f88fc34d76b3574a2

Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Mon May 26 10:03:17 CEST 2025

Certificate fingerprints:

      SHA1: 9C:B0:FD:60:25:B9:6D:8D:2C:F5:F3:CB:CF:F6:B8:73:EB:E9:22:EC

      SHA256: 7C:DA:2D:31:7A:7A:C9:B4:7B:24:36:0E:4F:A5:A6:81:D5:27:DB:45:57:03:59:61:2F:20:01:C0:BA:52:71:1B

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 384-bit EC (secp384r1) key

Version: 3


Extensions:


#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:true

PathLen:2147483647

]


#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

Key_CertSign

]


#3: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: automation.notes.lab

]

Comments

1Christian Buchacher  11.09.2022 18:15:09  Download certificate chain without OpenSSL

Cool trick - thanks for sharing!

I tried it with Domino for Windows and it worked like a charme. If you don't have a default website specified on your server, you must replace '127.0.0.1' by the used IP addres, f.e.:

C:\Program Files\HCL\Domino\jvm\bin>keytool -printcert -rfc -sslserver 192.168.1.100 > certs.pem

I only have a MicroCA for testing and I'm not a 100% sure, if the private key is also included if you try to export a regular certificate? (The private key is encryped with the server's public key, right?)

2Daniel Nashed  11.09.2022 22:31:00  Download certificate chain without OpenSSL

@Christian, this is not specific to Domino. It works the same for any server and the standard protocols.

It will not work for STARTTLS which starts an unencrypted connection and then negotiates a TLS session with the STARTTLS extension.

This is a remote request for the server and can only get the public certificates, which are public.

The private key always remains on the server. They private key is not directlry encrypted with the server key.

It is encrypted with an operations key, which is encrypted with all public keys of all servers configured to have access.

3Don  13.09.2022 11:24:56  Download certificate chain without OpenSSL

Thanks for sharing. I did not know keytool could do this.

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]