+49 6172 9810480
info@ehmig.de
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
post
us_testimonial
page
training
manual
newsletter

Top 2 – Creating server certificates for Domino TLS encryption

Error Description

Transport Layer Security (TLS, also known by its predecessor name Secure Sockets Layer / SSL), is an encryption protocol for secure data transmission over the internet. Various Domino protocols use this encryption for secure data transmission (iNotes, Verse, Traveler). Version TLS 1.2 has been available since 2008; the current version, TLS 1.3, is not yet supported by Domino.

Domino uses its own keyring file for storing certificates (here “keyring-host.kyr” with associated password file “keyring-host.sth”).

Unfortunately, Domino 11.0.1 does not have a built-in tool for creating TLS server certificates. Two external tools are required for this process:

1) OpenSSL

Cryptography and SSL/TLS Toolkit

https://www.openssl.org/source/

2) Kyrtool

Installing and Running the Domino keyring tool

Server certificates for Domino TLS can

Note: Domino 12 will support certificate creation using Let's Encrypt (a free, automated and open certificate authority with a very large reach on the internet).

Managing certificates (Let's Encrypt CA)

https://help.hcltechsw.com/domino/earlyaccess/secu_le_managing-certs_from_LE.html

Furthermore, support for PEM files will replace the procedure described in this document.

Requesting and importing a key and certificate from third-party CA

https://help.hcltechsw.com/domino/earlyaccess/wn_simplified_procedure_third_party_certs.html

Troubleshooting

Create a CA-signed or self-signed server certificate using the procedure described in the sources mentioned.

Sources

Method a) CA-signed server certificate

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

https://support.hcltechsw.com/csm?id=kb_article_view&sys_kb_id=1a0ad54e1b2498d8c1f9759d1e4bcb1a&spa=1

Method b) Self-signed server certificate

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool

https://support.hcltechsw.com/csm?id=kb_article&sys_id=8ea76f161bca845883cb86e9cd4bcb82

Tips

Qualys SSL Labs provides a useful testing tool for the newly created TLS server certificate (LINK: https://www.ssllabs.com/ssltest/Potential misconfigurations lead to a lower reputation and should be corrected as described.

Configuration with errors

Suitable configuration

Contact Person
Stefan Ehmig
Managing Director
06172-981048-0
Any Questions?
We will be happy to call you back








    Menu

    Subscribe to our newsletter.


    You can unsubscribe at any time.
    You can find further information in our Privacy policy.