« Pop quiz: What was the second ever hacker movie? | Main| The Weirdest thing I've seen all week: DooDah News »

SSL and Domino (or how to waste an afternoon!)

Category
Bookmark : del.icio.us  Technorati  Digg This  Add To Furl  Add To YahooMyWeb  Add To Reddit  Add To NewsVine 

This technote was invaluable today. Today, I had to add self-signed SSL to a domino server. This 30-step odd process was the clearest technote on how to actually enable SSL and add *any* sort of certificate.

I'm not kidding when I say it still took three hours, and four attempts to get right. Okay, aside from me being a developer, and it being Friday afternoon (and I can *smell* the Caledonian 80-shilling on tap from the bottom of the garden), it still requires using Certificate Authority (the 'CA' process), AdminP, creating random databases, and copying server keyring files to the server hard drive. Sacrificing the odd chicken helps, as does screaming AAAAAUUUGGGGGH at the moon when I got to the end and I'd misspelt the domain.

Please, can someone please tell me why it has to be so bad? Can someone acually justify designing a process this horrible?

At the end of this process, as I'm too tight to pay for a proper keyring from Verisign or someone else (Who's the cheapest, BTW?), the users STILL get prompted and warned not to use the SSL key. Is it worth it ?

And you'd think by 8.x that we'd have a wee page on the admin client that said 'create me an SSL keyring, for ALL my domains and install it for me please'.. ? Instead of tramping through this nightmare process for EACH domain..

The pub is now calling..

Posted by Bill Buchan On 04/07/2008 | Digg This |

Comments

Gravatar Image1 - I have a great deal of sympathy here, Bill. The admin documentation on this is downright dangerous because it covers several versions of domino in several page steps. If you search and stumble halfway into the process for an older version of domino, you're doomed.

I put this together last March because a lot of people have been asking me to do it for them.

{ Link }

Posted by Andrew Pollack At 16:55:50 On 04/07/2008 | - Website - |


Gravatar Image2 - I can understand how you feel. If it helps you it is only that difficult the first time. Emoticon

And the cheapest way (actually FREE) is from CACert.org . Once you are "assured" by two people you can get as many server certificates as you want for the rest of your life.
Sounds good. But unfortunately the root keys are not (yet) included in IE or Firefox so it is similar to a self-signed-certificate.

More info: { Link }

Posted by Hynek Kobelka At 17:17:33 On 04/07/2008 | - Website - |


Gravatar Image3 - Bill

Ditto and ditto mate! SSL hate it with a vengance. Having said that setting up SSL and a SelfCert on the Apache server on a iSeries is a piece of piss so I have taken the set of using the Certificate Authority on the iSeries to create the TrRoot for all the other servers.

However we do have to provide ample help for our external users to install our Trusted Root in their certificate store to get around the error messages that and we include our Trusted root on all builds of internal PCs.

Steve

Posted by Steve McDonagh At 19:39:12 On 04/07/2008 | - Website - |


Gravatar Image4 - I've used RapidSSL before, and it was smooth as silk (as opposed to the self-cert process, which, as you point out, is ridiculous). Their prices have gone up a bit since last time I used them (currently $79 per hostname), but they have 99% browser recognition, so the users don't get a scary warning unless you let the cert expire.

Posted by Tim Tripcony At 20:20:22 On 04/07/2008 | - Website - |


Gravatar Image5 - (Shouldnt you Americans be out there drinking beer, blowing up (extremely safe) fireworks, and complaining about not having enough holidays?)

Nice one, Tim.

RapidSSL certs are now available via BulkRegister (they charge per year instead of per cert), which means they'll nag me when the cert runs out (they already nag me and auto-renew domains.)

So far - 15 mins to submit a certificate request.

Alarmingly, the latest Domino server they have on there is v5. Which went out of support a year ago or more ?

---* Bill

Posted by Wild Bill At 22:48:36 On 04/07/2008 | - Website - |


Gravatar Image6 - try a GoDaddy cert. Very cheap and trusted by all major browsers. I've used them on Domino a couple times. I think there's even a technote on IBM support - do a search on there for GoDaddy.

Posted by Julian robichaux At 23:30:32 On 04/07/2008 | - Website - |


Gravatar Image7 - Fun isn't it. I've had to do this a time or two. Then a few years back I had to do it again and the then current (I think R7), db simply didn't offer any options to produce a self cert keyring file for a server.

Grumbles, moans and digs in the Archive of old databases until finds one which will actually produce a keyring file.

This one should actually be called the "Ringpiece" process.

Posted by NeilT At 14:53:41 On 08/07/2008 | - Website - |


Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::lips::rolleyes:;-)

All my past and future presentations can be found here

Macmillan.gif
Donate now!

Hosted by Prominic.NET

Finalist's Site Marker 3.jpg

Domino 7 OpenNTF BlogSphere LotusGeek RSS Feed Custom Button

www.flickr.com
wildbillbuchan's photos More of wildbillbuchan's photos

Quick Bill


I'm
- a Lotus Domino Dual PCLP - that is, a SysAdmin PCLP and an AppDev PCLP (or IBM Certified Advanced Application Developer and Advanced System Administrator) in nd7, v6, v5, v4 and v3. (one of 20 worldwide!)
- an IBM Certified System Administrator - Websphere Portal v5.0
- an IBM Certified Solutions Developer - Websphere Portal v5.0
- an IBM Certified Associate Developer - Websphere Studio v5
- an IBM Certified Solutions Expert - Websphere v4.0.
- a SUN Java 2 Certified Programmer
- a (probably lapsed now) Microsoft MCSE in Windows NT4.
- a (definately) lapsed now CLP in cc:Mail v2 and v6

Blogrolls







ND7

PB-DOMPOST-00_md_thumb.jpg