Download certificate chain without OpenSSL
Daniel Nashed – 11 September 2022 08:17:08
Usually OpenSSL is the tool of choice for all type of certificate operations.
But what if no OpenSSL command line is available? Like in a Domino container where you can't install software?
After some research, I came up with the keytool, which is part of the JVM Domino ships.
It turned even out to be an easier way to download the certificate chain with this command line:
/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -rfc -sslserver 127.0.0.1 > certs.pem
This example connects to the local server over port 443 (default) and loads the complete certificate chain.
The option -rfc is important to write the certificate in PEM format.
Without the -rfc option, you get all the details about the certificates in the chain instead:
/opt/hcl/domino/notes/latest/linux/jvm/bin/keytool -printcert -sslserver 127.0.0.1
Certificate #0
====================================
Owner: O=Automation MicroCA Certificate
Issuer: CN=DominoMicroCA, O=AutoTestLab
Serial number: 69e50f549cb8e0d294ad2c6a884778c0
Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Tue Sep 12 10:03:17 CEST 2023
Certificate fingerprints:
SHA1: 4B:77:49:FB:95:3E:02:F5:8C:F7:C7:76:C1:F5:7F:EA:7B:60:CD:9C
SHA256: 9E:E7:61:FA:D1:DA:57:AA:89:3F:A8:F8:F8:CB:69:D6:7F:DB:8A:18:C4:BB:01:2F:85:FD:1F:39:9B:69:8D:42
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: automation.notes.lab
]
Certificate #1
====================================
Owner: CN=DominoMicroCA, O=AutoTestLab
Issuer: CN=DominoMicroCA, O=AutoTestLab
Serial number: 4afa2efe1b11b03f88fc34d76b3574a2
Valid from: Sat Sep 10 10:03:17 CEST 2022 until: Mon May 26 10:03:17 CEST 2025
Certificate fingerprints:
SHA1: 9C:B0:FD:60:25:B9:6D:8D:2C:F5:F3:CB:CF:F6:B8:73:EB:E9:22:EC
SHA256: 7C:DA:2D:31:7A:7A:C9:B4:7B:24:36:0E:4F:A5:A6:81:D5:27:DB:45:57:03:59:61:2F:20:01:C0:BA:52:71:1B
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: automation.notes.lab
]
- Comments [3]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}
1Christian Buchacher 11.09.2022 16:15:09 Download certificate chain without OpenSSL
Cool trick - thanks for sharing!
I tried it with Domino for Windows and it worked like a charme. If you don't have a default website specified on your server, you must replace '127.0.0.1' by the used IP addres, f.e.:
C:\Program Files\HCL\Domino\jvm\bin>keytool -printcert -rfc -sslserver 192.168.1.100 > certs.pem
I only have a MicroCA for testing and I'm not a 100% sure, if the private key is also included if you try to export a regular certificate? (The private key is encryped with the server's public key, right?)
2Daniel Nashed 11.09.2022 20:31:00 Download certificate chain without OpenSSL
@Christian, this is not specific to Domino. It works the same for any server and the standard protocols.
It will not work for STARTTLS which starts an unencrypted connection and then negotiates a TLS session with the STARTTLS extension.
This is a remote request for the server and can only get the public certificates, which are public.
The private key always remains on the server. They private key is not directlry encrypted with the server key.
It is encrypted with an operations key, which is encrypted with all public keys of all servers configured to have access.
3Don 13.09.2022 9:24:56 Download certificate chain without OpenSSL
Thanks for sharing. I did not know keytool could do this.