Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

The new magic number of the year is 398

Daniel Nashed – 4 November 2020 19:05:22

Wow I almost missed that. I spoke with a friend who mentioned it today.

I did know about all the discussions for certificate life time. But I missed the official statements.


So basically we cuts the time by 50%.

Before the mangic number was 825 days. Now it will be reduced to 398 day!

For everyone running Let's Encrypt certs today, this will not a big deal, because they have a 90 days lifetime anyway and you automatically renew them.

For everyone else without certificate management in place, this will be a big deal!


Update 5.11.2020. I had a call with Christian Henseler who really looked into the details what Apple and Google wrote. In contrast to what we have seen with earlier Apple statements for the old limit of around 2 year, this does not affect private/corporate CAs if we read it correctly.

The old statement from Apple --> https://support.apple.com/en-us/HT210176 is not limited CAs in the Apple trust store.
Still that year will apply everyone running public websites with official certs.


--snip --
Apple: "This change will not affect certificates issued from user-added or administrator-added Root CAs."

Google: "This will only apply to TLS server certificates from CAs that are trusted in a default installation of Google Chrome, commonly known as “publicly trusted CAs”, and will not apply to locally-operated CAs that have been manually configured. "

--snip --


What does that mean for Domino?


Today for many of my Domino customers I always have to help with openssl and kyrtool.

And I know all the commands when you wake me up at night.


In future with Domino V12 most of it will all work "automagical".


Automated certificate management is one of the cool new features in Domino V12.

The first code drops of the early access program delivered Let's Encrypt support.

But there are other provides like ZeroSSL (
https://zerossl.com) or Bypass (https://buypass.com) using the ACME protocol that we can expect to be supported in future.

What is also already available is manual certificate operations -- and you can use all of this functionality today by pushing certs to older servers.


"Manual" certificate operations


You can paste a complete pem file including private key, cert, cert chain and trusted root into a field and submit a request which automatically reads all certificate information.

But the preferred way would be

- configure your host names, organisation name etc
- let the new CertMgr create a private key and CSR for you

- Use the copy action button to copy the CSR to your CA

- Finally paste the certificates back using the right fields


Today this is still automatically convered into a kyr file.
But the October code drop already allowed you to specify a host name instead of a kyr file in your internet site / server doc configuration and the internet tasks have been reading it from there.


In future code drop we can expect more automation and integration.


So this replaces the need for openssl and the kyrtool. And this can be even user for older servers to generate the kyr files.

I have posted an agent in the early access forum to push kyr files to a server.


Given that certificate lifetime will be more and more reduced over the years, certificate management becomes more and more important!



Domino V12 Early Access


If certificate management in Domino is your topic, you should take the time to look into the Domino V12 early access code drops!
It's really early access with code shipped once a feature ready to get feedback! Not just for this product area.


-- Daniel


PS: I don't want to confuse you with Certificate Transparency which replaces HTTP Public Key Pinning (HPKP) implies shorter lifetimes for certificates, because they want at least 2 certs in their database.

But I at least want to mention and reference it below.


References:


https://support.apple.com/en-us/HT211025
https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate_lifetimes.md
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
https://www.certificate-transparency.org/

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]