Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

198 VOTE
Status Shipped
Workspace Domino
Categories Security
Created by Guest
Created on Jul 24, 2018

SSL Certificate management

The process for managing SSL certificates since the implementation of TLS 1.2 is so convoluted.

We need a replacement for certificates requests database

  • Attach files
  • Guest
    Reply
    |
    Feb 4, 2022

    I recently had issues trying to install a certificate (RapidSLL) in Domino using this guide. This process appears to be necessary when consuming LotusScript WSDLs in HTTPS. Even repeating the whole process with the kind HCL support, it still fails with: SSL invalid certificate, may need to cross-certify.

    Also trying cross-certifying root and intermediates certificates, both with the whole /organization and with the single server/organization, brought no luck.

    I may consider to import certificates in the JVM (seriously?)

    Weird that NotesHTTPRequest doesn't need all this messy setup. I believe a huge semplification is needed more than ever. There's no reason to be that complicated, and also that dispersive.

    When the remote certificate is valid (means: when any regular browser can load the same endpoint without any warning), Notes and Domino should do exactly the same!

    In case the certificate wasn't valid (self-signed, expired or emitted by an unknown CA) please centralize the management in only one neat and clear place!

  • Guest
    Reply
    |
    Mar 15, 2020

    I recently had to renew our GlobalSIgn certificate. My workaround ultimately was to use a laptop with Notes client 9.0.1 installed which still functions correctly with the Server Certificate Admin (certsvr.nsf). I have now received our RSA SH256 certificate

    The proposed OpenSSL & kyrtool appears messy and cumbersome.

    HCL needs to redesign the Server Cert Admin nsf on a priority. The current situation represents reduced functionality and value in the Domino product.

    The Server Cert Admin NSF provided an relatively simple Admin tool that Domino Admin people could use and follow.

    This enhancement request is nearly 2 years old -- HCL why haven't you addressed this ?

    Please advise and update.

  • Guest
    Reply
    |
    Jan 7, 2020

    Actually the kyrtool kind of makes my life easier. Do you remember the hassle you had to deal with when you needed/wanted to share a certificate (typically a wildcard) between Domino and different platforms? ... It was a nightmare and "expensive" too because you had use different more or less proprietary tools. Kyrtool gives me the ability to extract certificates from kyr files for use with other platforms.

    What would be great was if Domino would support the use of PFX files and stop being so proprietary in that regard.

  • Guest
    Reply
    |
    Nov 7, 2019

    please improve the replacement of the kyr file on the server. I don't want to restart the entire domino server for activate the new one. A restart of the http tasks should be enough.

  • Guest
    Reply
    |
    Feb 14, 2019

    With 10.0.1 SSL is required for securing Proton and using IAM. Developers *should* be using a local Domino server. Setting up SSL (at least with a self-signed certificate) for Domino needs to be easy enough for developers to do and as standard as possible. Otherwise Notes developers will be less likely to try Node.js development and Node.js developers will be unlikely to use Domino.

  • Guest
    Reply
    |
    Dec 10, 2018

    The server certificate admin database is still not supported for SHA-2 certificates as per https://www-01.ibm.com/support/docview.wss?uid=swg21903783

    If you create a SHA-2 certificate using the server certificate admin database, TLSv1.2 connections such as from Apple Devices and other browsers along with some SMTP servers will close the connection due to the fact that the server certificate admin database uses MD5 hashes.

  • Guest
    Reply
    |
    Aug 28, 2018

    Oh, so true!

    Not to mention that the security tab of the Web Site config doc isn't used for anything but the cert file name. Even that new verison of the app is a bit clunky, with having to refresh, then do a form, then refresh, then import the signed certs, and nothing in the app says to install the top level, then mid level(s), and then server one. The app needs a workflow refresh. Also, all my certs are now in my kyrtool files, so I've just stuck with the more OS terminal of work.  I also think both this one and the TLS certs suggestion are linked.

  • Guest
    Reply
    |
    Aug 16, 2018

    Maybe this request and this request (HTTPS/TLS: Handle standard .pfx/SSL Certs better/easier for SSL/TLS) should be combined?

  • Guest
    Reply
    |
    Jul 30, 2018

    It's csrv50.ntf I'm talking about - Server Certificate Admin

  • Guest
    Reply
    |
    Jul 28, 2018

    Correction: csrv50.ntf, version 9.0 (10/31/2012)

  • Guest
    Reply
    |
    Jul 24, 2018

    Since 901FP5 (approximately) you don't need OpenSSL or KYRTOOL.  Certca.ntf works with SHA2 and TLS1.2 same as it always did before as long as your server and Administrator are current.  Ignore the Technote - it's obsolete.

  • Guest
    Reply
    |
    Jul 24, 2018

    Use LE4D by midpoints

  • Guest
    Reply
    |
    Jul 24, 2018

    that costed me 5 days to enable ssl on a server with kyrtools and openssl :) 

  • Guest
    Reply
    |
    Jul 24, 2018

    or better documentation for openssl process...