Vous êtes sur la page 1sur 204

SHOW104

Crispy Certificates with


Spicy SSL Salsa

Tom Truitt | Sr IT Specialist | WorkFlow Studios

© 2011 IBM Corporation


Legal
This slide presentation may contain the following copyrighted, trademarked,
and/or restricted terms:
● IBM® Lotus® Domino®, IBM® Lotus® Notes®, IBM Lotus Symphony®,
LotusScript®
● Microsoft® Windows®, Internet Explorer®, Microsoft Office®
● Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

● Symantec Corporation®, VeriSign, Inc.®, Thawte, Inc.®, GeoTrust®,


GoDaddy.com, Inc.®

© 2011 IBM Corporation 2


Session Goals
● Learn what SSL and X.509 certificates are, and why you use them.
● Learn what a Wildcard certificate is and how it potentially saves your
organization money and maintenance hassle.
● Learn the difference between self-certifying and using a 3rd Party certificate
authority and why you'd want to pay for the 3rd Party.
● Learn how to send and receive encrypted email for secure communications.
● Learn the step-by-step process of setting up all of these certificate types in your
Domino environment.

© 2011 IBM Corporation 3


Assumptions
● You have installed and have working knowledge of the Lotus Notes
Administration Client.
● You have “Create Database” privileges in your Domino environment.
● You have at least Editor access to the Domino Directory with NetCreator and
UserCreator roles.
● Your Notes Client “Location Document” must be set for server based mail, not
local, otherwise you will receive errors when creating or modifying certificates.

© 2011 IBM Corporation 4


Agenda
• It's a matter of Trust & Security
• Or why Certificates and SSL are necessary

• Definitions
• Using 3rd Party Certificate Authorities
• Single Host
• Multi Host with “Wildcard” SSL Certificate

• Domino's Certificate Authority (CA) 5process


• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 5


It's a matter of Trust & Security

Who do you trust?
─ How do you verify that you are connected to a server that is actually at a particular
business or site?
─ Certificates validate identity. Like a company badge to get into your office or a
driver's license or passport to get through security at the airport.
● Who would eavesdrop on the Internet “Party Line”?
─ Standard Internet communications, i.e. HTTP, SMTP are simple text transmission
protocols.
─ If someone intercepts traffic, there is nothing to prevent reading all the content of
that communication.
● With encryption, one end of the communication encrypts the traffic, and the
other end decrypts it.
● Certificates provide the keys in the encryption process.

© 2011 IBM Corporation 6


Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
• Definitions
• Using 3rd Party Certificate Authorities
• Single Host
• Multi Host with “Wildcard” SSL Certificate

• Domino's Certificate Authority (CA) process


• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 7


Definitions to keep in mind
● Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

● Public Key Infrastructure (PKI)

● Certificate Authority (CA)

● Certificate Signing Request (CSR)

● X.509 Digital Certificate or Public Key Certificate (PKC)

© 2011 IBM Corporation 8


Secure Sockets Layer (SSL) &
Transport Layer Security (TLS)
● SSL & TLS are cryptographic* protocols that provide encrypted communications
securely over the Internet.
● SSL, originally developed by Netscape, is widely used to do two things:
─ Validate the identity of a Web site
─ Encrypt the connection for sending personal data over the internet
● TLS security protocol defined by the Internet Engineering Task Force (IETF) is
based on SSL 3.0. TLS uses digital certificates to authenticate the user as well
as authenticate the network.
─ The TLS client uses the public key from the server to encrypt a random number and
send it back to the server. The random number, combined with additional random
numbers previously sent to each other, is used to generate a secret session key to
encrypt the subsequent message exchange.
● Look for the Lock icon in you browser. If the lock is closed you are on a
secure SSL or TLS connection.
*Cryptography is the process of converting data into a secret code for transmission. In other words
“Plain Text” is converted into a secret code via an encryption algorithm.

© 2011 IBM Corporation 9


Typical SSL Handshake Negotation Process
● The two sides acknowledge each
other and the browser sends a list of
algorithms it supports and a random
number to the web server.
● The server returns “Use this
algorithm” it's random number and
digital certificate.
● The browser verifies that it trust's the
server's certificate and extracts the
server's public key. It then uses that
public key to encrypt a pre-master
key and sends it to the server.
● Both client and server use the pre-
master key and exchanged random
numbers to generate the secret keys
for the rest of the session and
exchange checksums.
© 2011 IBM Corporation
10
Public Key Infrastructure (PKI)
● A framework for creating a secure method of exchanging electronic information
based on public key cryptography.
● The base of a PKI is the Certificate Authority (CA) that issues digital certificates
to authenticate the identity of servers and individuals.
● PKIs are based on the public/private key pair of the CA's Root Key.
● The subject's public key, know to everyone, is used to encrypt data.
● The private or secret key is used to decrypt received data.
● If the private key of the CA's Root Key is ever compromised, all the digital
certificates created by that CA are vulnerable.
● The Key Size defines how hard the private key is to decode. The higher the
key size the harder it is to break the code.
● Common RSA Key Sizes are:
● 512, 1024 and 2048

© 2011 IBM Corporation


11
Certificate Authorities (CA)s
● As stated above, The base of a PKI is the Certificate Authority (CA) that issues
digital certificates to authenticate the identity of servers and individuals.
● There are two types of CAs:

─ Trusted 3rd Party or Commercial CAs which charge to issue certificates. Their
Trusted Root certificates are included in most internet browsers.
− Think of a passport issued by your country's passport authority.

─ Self Signed or Closed System where your company is it's own CA. You control the
Root Certificate for the organization.
− Think of your company issued ID badge that lets you into your office building.

© 2011 IBM Corporation


12
Trusted 3rd Party Certificate Authorities (CA)s
● Over 300 Trusted CAs are included in Internet Explorer on Windows XP.
● Most browsers already trust these authorities, so end user configuration is not
required.
● If the certifier is pre-configured as trusted in the email system, external mail
client configuration is reduced.
● Overall, the cost of supporting a 3rd Party System can be less than that of a
Closed System.
● Examples of 3rd Party CAs:
─ VeriSign, recently acquired by Symantec, has long been highly trusted by
consumers. VeriSign also owns GeoTrust and Thawte; combined they make up the
largest CA group*.
─ Go Daddy has grown rapidly over the last few years due to their aggressive pricing
model and holds the number two position per netcraft.com
─ Many other Trusted 3rd Party CAs are listed at the site below

* https://ssl.netcraft.com/ssl-sample-report//CMatch/certs

© 2011 IBM Corporation


13
Self Signed or Closed System (CA)s
● You or your organization control all certificates including the Root Certificate.
● You control who you issue certificates to.
─ Think of Photos on ID badges.
● You manage the certificate structure, naming, validation and expiration.
● The major problem with a Closed CA, is it requires equipment and personnel to
manage the process and configure end user workstations.
─ Think of your “Security Department” that take photos and issue Corporate Security
badges.

© 2011 IBM Corporation


14
Certificate Signing Request (CSR)
● A CSR is an application submitted to a CA for a computer or individual to obtain
a digital certificate.
● The request includes information identifying the applicant and the public key
that is generated from a public/private key pair.

© 2011 IBM Corporation


15
X.509 Digital Certificate
● AKA – Digital ID or Public Key Certificate (PKC)
● X.509 is an International Telecommunications Union Transmission (ITU-T)
standard for public key infrastructure (PKI). It specifies standard formats for
public key certificates, certificate validation and certificate revocation lists.
● Digital Certificates are issued by a CA after the CA has verified that the public
key belongs to a specific subject.
● A Digital Certificate contains both CA and subject information including the
subject's public key. The CA signs the certificate by creating a digest of all the
fields in the certificate and then encrypts the digest with it's private key.
● The encrypted digest is called a “digital signature”, and when placed into the
X.509 certificate, the certificate is said to be signed.
● It's the digital equivalent of your ID card, driver's license or passport.

© 2011 IBM Corporation


16
Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
 Definitions
• Using 3rd Party Certificate Authorities
• Single Host
•Multi Host with “Wildcard” SSL Certificate
• Domino's Certificate Authority (CA) process
• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 17


Configuring your Domino server with a 3rd Party
SSL Certificate
1) Choosing your 3rd Party CA
2) Create a KeyRing file
3) Creating a Certificate Signing Request (CSR)
4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

© 2011 IBM Corporation


18
Choosing your 3rd Party CA & Certificate
● There are literally hundreds of 3rd Party CAs.
● Things to consider when selecting you 3rd Party CA are:
─ What type of transactions will this server be handling?
− Online commerce sites should have the strongest level of encryption and
assurance that you can afford.
− In-house, training and utility servers might be able to use a less costly
certificate.
─ Issuance Speed
─ SSL Certificate Warranty
─ Website Security Seals
─ Customer Support
● It's really up to you to determine the best vendor for your needs. The SSL
Certificate (assuming the same Key Strength) will technically work the same
whether it is created by a Self Signed CA or a premium certificate from a well
known CA. The difference is really perception and marketing.

© 2011 IBM Corporation


19
Configuring your Domino server with a 3rd Party
SSL Certificate
 Choosing your 3rd Party CA

2) Create a KeyRing file


3) Creating a Certificate Signing Request (CSR)
4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

© 2011 IBM Corporation


20
Creating a KeyRing.kyr file 1
● Create a New Folder off the root of your C:\ drive with a short folder name. My
suggestion is C:\SSL (You will be typing this path several times in the near
future)

© 2011 IBM Corporation


21
Creating a KeyRing.kyr file 2
● From your Notes
Client,
1) Select File
2) Open
3) Lotus Notes
Application

1) Look in Your Server


2) Select “Server Certificate
Admin” (certsrv.nsf)
3) Click “Open” Certificate
Admin – 3. Click Open

© 2011 IBM Corporation


22
Creating a KeyRing.kyr file 3
● When the application opens, select “1. Create Key Ring”

© 2011 IBM Corporation


23
Creating a KeyRing.kyr file 4
1) Type the full
path and file
name – it must
end with .kyr
2) Input and
confirm the
password.
3) Click on the
“Key Size” drop
down.

© 2011 IBM Corporation


24
Key Size 5
● The larger the key size, the greater the encryption strength and therefore the
less likely a brute force attack will be able to decipher the key.
● Given the advances in computing power, some believe that it will be possible to
break a 1024-bit key in the near future.
● Some 3rd Party CAs will not accept a CSR with less than 2048 key size any
longer, and others are currently in the process of phasing out their lower sized
certificates.
● Keep in mind this could cause issues when you try to renew existing certificates
of lower key strength, in which case you will be required to create a new Key
Ring file and CSR for your servers.
● The National Institute of Standards and Technology (NIST) of the US
Government recommends certificates after 2010 should be of at least 2048 bit
key length.
● http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-
2007.pdf
● Beware - some older browsers can not support the new 2048 bit keys.
© 2011 IBM Corporation
25
Creating a KeyRing.kyr file 6
● Select 2048 as the Key Size

© 2011 IBM Corporation


26
Creating a KeyRing.kyr file 7
● Complete the required
and optional fields.

XYZ Company
1) “Common Name”
(DNS Server Name)
2) Organization and
Optional fields
3) NO ABBREVIATIONS in
“State or Province” field,
4) 2 character country
code -
5) Click “Create Key Ring”

© 2011 IBM Corporation


27
Creating a KeyRing.kyr file 8
● The KeyRing file name can be anything you want but it must end with .kyr
extension.
● Write down the password of the KeyRing.kyr file, put it in a “sealed envelope”
and store it in a safe place. You are going to need the password again when it
comes time to renew the certificate.
● If you are getting a single server certificate the Common Name is the URL
name to which the server responds. A simple 1 character mistake will cause an
invalid name prompt when the certificate is presented to the browser.
● The Organization (and optional Organization Unit) fields must be completed as
accurately as possible with the legal name of the company.
● Use the City and State of the Organization’s address and NO ABBREVIATIONS
in the State or Province name.
● Enter the standard 2 Character Country code for your country.
● This information will be verified by your CA, is included in the Digital Certificate
and will be presented to every browser that contacts your server, so it's
important to have it correct when you create your KeyRing.kyr file.
© 2011 IBM Corporation
28
Creating a KeyRing.kyr file 9
● The Key Ring Created prompt will display - Click OK

XYZ Company

© 2011 IBM Corporation


29
Creating a KeyRing.kyr file - end
• You need to create an account at your 3rd Party vendor.
• You need to purchase an SSL Certificate and know your vendor's procedures
for submitting a CSR.

© 2011 IBM Corporation


30
Configuring your Domino server with a 3rd Party
SSL Certificate
 Choosing your 3rd Party CA
 Create a KeyRing file

3) Creating a Certificate Signing Request (CSR)


4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

© 2011 IBM Corporation


31
Creating a Certificate Signing Request (CSR) 1
● Open the Server Certificate Admin notes database (The same one we used to
create the KeyRing.kyr file)

© 2011 IBM Corporation


32
Creating a Certificate Signing Request (CSR) 2
● Click “2. Create Certificate Request”

© 2011 IBM Corporation


33
Creating a Certificate Signing Request (CSR) 3
1) Type the path and
name of the .kyr file
2) Select “Paste into
form on CA's site”
3) Click “Create
Certificate Request”

© 2011 IBM Corporation


34
Creating a Certificate Signing Request (CSR) 4
● 1. You will be prompted for the KeyRing password - 2. click “OK”

© 2011 IBM Corporation


35
Creating a Certificate Signing Request (CSR) 5
● The Certificate Request will look as depicted below. Copy from the first dash (-)

XYZ Company

© 2011 IBM Corporation


36
Creating a Certificate Signing Request (CSR) 6
● To the end of the last dash (–)
● Ctrl +C to copy into your paste buffer.

XYZ Company

© 2011 IBM Corporation


37
Creating a Certificate Signing Request (CSR) 7
● Open Notepad and Paste the CSR into the notepad document, just in case you
accidentally copy something else before you complete the 3rd Party CSR.

© 2011 IBM Corporation


38
Creating a Certificate Signing Request (CSR) 8
● Click “OK” on the Certificate Request Created window.

XYZ Company

© 2011 IBM Corporation


39
Creating a Certificate Signing Request (CSR)
end
● You are now ready to browse to your 3rd Party CA and complete your CSR.
● Follow the instructions for requesting a certificate for your 3rd Party CA

© 2011 IBM Corporation


40
Configuring your Domino server with a 3rd Party
SSL Certificate
 Choosing your 3rd Party CA
 Create a KeyRing file
 Creating a Certificate Signing Request (CSR)

4) Retrieve SSL Certificate from Vendor


5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

© 2011 IBM Corporation


41
You will receive an email from your 3rd Party CA
when your SSL Certificate is complete
● In most instances you will need to download your SSL Certificate from their site.

Julio.Jalapeno@SpicySSL.co
m

© 2011 IBM Corporation


42
Steps for configuring your Domino server with a
Third-Party SSL Certificate
 Choosing your 3rd Party CA
 Create a KeyRing file
 Creating a Certificate Signing Request (CSR)
 Retrieve SSL Certificate from Vendor

5) Trusted Root and Intermediate Certificates


6) Install Server SSL Certificate
7) Setup Domino Server for SSL

© 2011 IBM Corporation


43
There must be a Trusted Root Certificate for your
3rd Party CA in the server's KeyRing.kyr file
● The CAs listed on the left are
automatically included and therefore
trusted in a newly created Domino
KeyRing.kyr file.
● If your CA is not included in the list,
their Trusted Root Certificate will
need to be imported.
● Note: There is a VeriSign
Intermediate CA included. It may or
may not be the correct one for your
certificate.
● Many CAs will now require an
Intermediate Certificate as well as
their Trusted Root.
● Check your 3rd Party CA
documentation for Intermediate
Certificate requirements.
© 2011 IBM Corporation
44
Trusted Root & Intermediate Certificates 2
● Some CAs include their Trusted Root and Intermediate certificates in a bundle
or .zip file along with your signed Digital Certificate.
● If they are not, include follow the vendor's instructions and download them.
● Place them in your C:\SSL subdirectory.

© 2011 IBM Corporation


45
Trusted Root & Intermediate Certificates 3
● I normally double click to open the .crt files and leave them open on my desktop
so I can get the name correct when I install them into the KeyRing.kyr file.

© 2011 IBM Corporation


46
Trusted Root & Intermediate Certificates 4
● Open the “Server Certificate Admin” database

© 2011 IBM Corporation


47
Trusted Root & Intermediate Certificates 5
● Select – “3. Install Trusted Root Certificates into Key Ring”

© 2011 IBM Corporation


48
Trusted Root & Intermediate Certificates 6
1.Input the path and file name of your
KeyRing.kyr file.
2.Type the Certificate Label that will
appear when you choose “View &
Edit Key Ring” (why I keep it open on
the desktop).
3.Select File or Clipboard as Source.
a) If File, input the path and file name
to the retrieved signed certificate.
b) If Clipboard, paste into provided
field.

4.Base 64 encoding is the most


common format unless your vendor
specifies otherwise in their
documentation.
5.Click “Merge Trusted Root Certificate
into Key Ring”.
© 2011 IBM Corporation
49
Trusted Root & Intermediate Certificates 7
● You will be prompted for the Key Ring password then click “OK”

© 2011 IBM Corporation


50
Trusted Root & Intermediate Certificates 8
● Click “OK” on the Merge Trusted Root Certificate Confirmation.

© 2011 IBM Corporation


51
Trusted Root & Intermediate Certificates 9
● Click “OK” on the Certificate received into key ring and designated as trusted
root prompt.

© 2011 IBM Corporation


52
Trusted Root & Intermediate Certificates end
● Intermediate Certificates
─ If your CA requires an
Intermediate Certificate, follow
the exact same steps as
installing a Trusted Root
Certificate.
─ Of course you would use a
different Certificate Label and
file name.
● If you get a prompt like the one
on the left while installing your
Signed “Server” Certificate, it
indicates that you are missing
an Intermediate Certificate.

© 2011 IBM Corporation


53
Configuring your Domino server with a 3rd Party
SSL Certificate
 Choosing your 3rd Party CA
 Create a KeyRing file
 Creating a Certificate Signing Request (CSR)
 Retrieve SSL Certificate from Vendor
 Trusted Root and Intermediate Certificates

6) Install Server SSL Certificate


7) Setup Domino Server for SSL

© 2011 IBM Corporation


54
Install Server Certificate into Key Ring 1
● Open the “Server Certificate Admin” database and Click “4. Install Certificate
into Key Ring”

© 2011 IBM Corporation


55
Install Server Certificate into Key Ring 2
1) Input the path and file name of
your KeyRing.kyr file.
2) Select File or Clipboard as
Certificate Source as appropriate.
3) Depending on you choice.
a) If File, input the path and file name
to the retrieved signed certificate.
b) If Clipboard, paste into provided
field.

4) Click “Merge Certificate into Key


Ring.

© 2011 IBM Corporation


56
Install Server Certificate into Key Ring 3
● Input the Key Ring password and click “OK”

© 2011 IBM Corporation


57
Install Server Certificate into Key Ring 4
● Click “OK” on the Merge Signed Certificate Confirmation prompt

© 2011 IBM Corporation


58
Install Server Certificate into Key Ring end
● Click “OK” on the Certificate received into key ring prompt

© 2011 IBM Corporation


59
Configuring your Domino server with a 3rd Party
SSL Certificate
 Choosing your 3rd Party CA
 Create a KeyRing file
 Creating a Certificate Signing Request (CSR)
 Retrieve SSL Certificate from Vendor
 Trusted Root and Intermediate Certificates
 Install Server SSL Certificate

7)Setup Domino Server for SSL

© 2011 IBM Corporation


60
Copy the KeyRing.kyr and KeyRing.sth file to
your server’s Domino\Data directory 1
● When you create a KeyRing.kyr file a .sth file of the same name which contains
the password for the associated .kyr file is also created.
● Browse to the C:\SSL subdirectory and copy BOTH the .kyr and .sth files.

© 2011 IBM Corporation


61
Copy the KeyRing.kyr and KeyRing.sth file to
your server’s Domino\Data directory 1
● Paste the KeyRing.kyr and KeyRing.sth files into your server’s Domino\Data
directory.

© 2011 IBM Corporation


62
Setup SSL on the Domino Server 1
● From Domino Administrator Client
1) Configuration tab
2) Server – Current Server Document
3) Edit Server
4) Note: Load Internet configuration
from Server\Internet Sites documents
= Disabled
● This example assumes you are NOT
using Internet Sites documents.
● Using Internet Sites documents will
be explained in the Wildcard SSL
section.

© 2011 IBM Corporation


63
Setup SSL on the Domino Server 2
● Go to 1. Ports – 2. Internet Ports – 3. Input the name of your KeyRing.kyr file

© 2011 IBM Corporation


64
Setup SSL on the Domino Server 3
● Scroll to the bottom of the page
• Port 80 (standard port)
1) TCP/IP port Status
• Redirect to SSL will automatically
switch a user to SSL when they
browse to the server without typing
HTTPS:// at the beginning of the
URL
2) Enforce server access settings
• Select Yes to have the server honor
Security Access settings on the
security tab of the server document
3) Enable SSL port status
4) Choose No for the Client certificate
option (we haven’t issued any client
certificates)
5) Save and Close

© 2011 IBM Corporation


65
Setup SSL on the Domino Server 4
Restart the HTTP Server Task
• Domino Admin Client – Server
Console
• Issue the command
• restart task http

© 2011 IBM Corporation


66
Test new SSL Setup 1
● Open your internet browser
● Enter the URL for your server
● Example:
http://hotchilies.spicyssl.com/names.nsf
● You will be prompted for your name
and password if you did not allow
anonymous access.

© 2011 IBM Corporation


67
SSL Setup Complete

● Note: Because we
selected “Redirect to
SSL” you will be
automatically switched
to SSL (https://)
● The Browser does not
display any error
prompts.
● The Lock Icon displays.

© 2011 IBM Corporation


68
Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
 Definitions
• Using 3rd Party Certificate Authorities
 Single Host
• Multi Host with “Wildcard” SSL Certificate
• Domino's Certificate Authority (CA) process
• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 69


Wildcard SSL Certificate 1

Let’s suppose we have set up
DNS entries for
hotchilies.spicyssl.com and for
inotes.spicyssl.com both
pointing to the same server.

When we browse to
hotchilies.spicyssl.com
everything is fine.

But when we browse to
inotes.spicyssl.com

We get: “There is a problem
with this website’s security
certificate”.

This is because the certificate
was issued to hotchilies not
inotes.

© 2011 IBM Corporation


70
Wildcard SSL Certificate 2

What is a Wildcard SSL Certificate?

Secures multiple first-level sub-domains (Internet Sites or Servers) as long as
they end with the same domain name.
─ Example:
− www.spicyssl.com
− hotchilies.spicyssl.com
− inotes.spicyssl.com
− traveler.spicyssl.com
− quickr.spicyssl.com

● Most browsers won't work with a Wildcard SSL Certificates of more than one
level. In other words a Wildcard Certificate for *.spicyssl.com will not work for
inotes.mail.spicyssl.com or best.recipe.for.spicyssl.com.

© 2011 IBM Corporation


71
Wildcard SSL Certificate 3

Advantages:
─ Can result in big savings if you have more than 3 or 4 sites to secure.
─ Easier to manage especially when it comes time for renewals.
● Disadvantages:
─ If one server is compromised then all the others using that certificate are vulnerable.
─ Some mobile device operating systems may not recognize the wildcard character
(Windows Mobile 5 for example).
● 3rd Party CAs have offer different options:
─ Some allow you to create as many new or sub wildcard certificates (with the same
domain name) as needed, each with a unique private key, making them just as
secure as a single server certificate.
─ Some 3rd Party vendors limit the number of use instances of a Wildcard SSL
certificate.
● Read the License agreements of your CA to be sure you comply with their
requirements.

© 2011 IBM Corporation


72
Wildcard SSL Certificate 4

The process of setting up a Domino Server to use a Wildcard SSL Certificate is
the same as a single server certificate.
1) Choose your 3rd Party CA
2) Create a KeyRing file*
3) Creating a Certificate Signing Request (CSR)
4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

*The difference is when you create the KeyRing.kyr file.

Enter *.spicyssl.com or *.yourdomain.com as the “Common Name” in the
Distinguished Name section.

The Domain owner will likely receive an email requesting verification of
Wildcard CSR before issuing the certificate.

© 2011 IBM Corporation


73
Creating a Wildcard KeyRing.kyr file 5
● Open the “Server Certificate Admin”
database
● Create a new KeyRing.kyr file
● Give the file a different name
● Example:
C:\SSL\WildSpicySSL.kyr
● Complete the Create Key Ring
document as we did before with
ONE exception, the Common Name
Field
● Use *.spicyssl.com
XYZ Company
(or *.yourdomain.com)

© 2011 IBM Corporation


74
Creating a Wildcard KeyRing.kyr file 6
● As long as you are sure you have
entered a new Key Ring File Name,
● Click on “OK” if you receive a
WARNING prompt like the one to the
left.

● Click “OK” on the Key Ring Created


prompt

XYZ Company

© 2011 IBM Corporation


75
Wildcard SSL Certificate 7

Follow the remaining procedures as we did for setting up SSL on a Single
Server
3) Creating a Certificate Signing Request (CSR)
4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL – but this time we’ll use “Internet Sites”
documents

© 2011 IBM Corporation


76
Wildcard SSL Certificate 8

Note the SubjectOrg and SubjectCommonName on the Signed Wildcard
Certificate is *.spicyssl.com (Step 6 Install Server SSL Certificate above).

© 2011 IBM Corporation


77
Configure Internet Sites with SSL 9
Enable Internet Sites Documents
● Edit the Server Document
● Basics tab
● Enable “Load Internet configurations
from Server\Internet Sites documents
● Save and Close the server Document

© 2011 IBM Corporation


78
Configure Internet Sites with SSL 10
Add a Web Internet Site Document

● Domino Admin Client


● Configuration Tab
● Web
● Internet Sites
● Add Internet Site
● Web

© 2011 IBM Corporation


79
Configure Internet Sites with SSL 11
● Complete the Basic Tab
● Descriptive name for this site
● Organization
● Is this the Default Internet Site?

© 2011 IBM Corporation


80
Configure Internet Sites with SSL 12
● Define this site’ Home URL on the
Configuration Tab

© 2011 IBM Corporation


81
Configure Internet Sites with SSL 13
● Security Tab
● Redirect TCP to SSL
● Require Name & Password for
SSL Authentication
● Enter the name of your
WildKeyRing.kyr in the SSL
Options section
● Save and Close the document

© 2011 IBM Corporation


82
Wildcard SSL Certificate 14
● Copy the WildKeyRing.kyr and WildKeyRing.sth files to the Domino server’s
data directory.
● Open the Admin Client Server Console and enter the command “Restart task
HTTP”.

© 2011 IBM Corporation


83
Wildcard SSL Certificate 15
● Now when we browse to
inotes.spicyssl.com/redirect.nsf:
● We no longer get a SSL Certificate
Error.
● We are prompted for a user name
and password.

● When we click on the lock icon:


● We see the site is identified as:
inotes.spicyssl.com
● The connection to the server is
encrypted.

© 2011 IBM Corporation


84
Wildcard SSL Certificate 16
● By clicking View Certificate we see
that the certificate was issued to:
*.spicyssl.com

© 2011 IBM Corporation


85
Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

• Domino's Certificate Authority (CA) process


• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 86


Domino’s Certificate Authority (CA) process

The Domino CA process can issue both Notes ID and Internet Certificates and
runs as an automated process on your Domino server.

It allows you to off-load the tasks of Notes ID creation and Certificate issuing to
others without giving them your certifier ids and passwords.

Internet certificate request are processed more easily.

Maintains Issued Certificate Lists (ICL) and revocation lists.

© 2011 IBM Corporation


87
Setting up Domino Certificate Authority
1) Migrate a Notes Certifier to the CA Process
2) Managing the CA process
3) Add an Internet Certifier to the CA process
4) Create a Certificate Request database for the Internet Certifier
5) Create a KeyRing.kyr file
6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


88
Migrate Notes Certifier to the CA Process 1
● Domino Admin client
1) Configuration Tab
2) Tools
3) Certification
4) Migrate Certifier

© 2011 IBM Corporation


89
Migrate Notes Certifier to the CA Process 2
● Click Select

© 2011 IBM Corporation


90
Migrate Notes Certifier to the CA Process 3
● Browse to the certifier being
migrated and click Select

© 2011 IBM Corporation


91
Migrate Notes Certifier to the CA Process 4
● Click “OK”

© 2011 IBM Corporation


92
Migrate Notes Certifier to the CA Process 5
● Input certifier password and click “OK”

© 2011 IBM Corporation


93
Migrate Notes Certifier to the CA Process 6
● The next slides explain the options on this page.

© 2011 IBM Corporation


94
Migrate Notes Certifier to the CA Process 7
Migrate Certifier Options

Select the server on which the certifier will run.

It is suggested that you leave the default path and name of the ICL database.

How this certifier is protected:

Encrypt Certifier ID with Server ID

This will encrypt the certifier with the server’s ID. No additional password or
action will be required to use this certifier. You can isolate your CA server and
add a password to the server ID for added security.

Require password to activate

More secure but requires that you issue the “tell ca activate <password>”
command after loading the CA task.

Locking ID

High security, if you use this option, I recommend creating a special id. Keep in
mind password expiration or Notes certificate expiration will cause issues. This
option requires that you issue the “tell ca unlock <path\filename> <password>”
command on the server console.

© 2011 IBM Corporation


95
Migrate Notes Certifier to the CA Process 8
Migrate Certifier Options

Certificate Authority Administrator (CAA)

A CAA can create and modify certifiers deployed in the Domino CA.

Only a CAA can edit the “Password recovery” information in a certifier.

The CAA can also add and edit the roles assigned to others.

A CAA must have at least “Editor” access to the Domino Directory.

Best Practice is to assign at least 2 CAAs to each certifier.

Registration Authority (RA)

Approves or denies Notes or Internet certificate requests.

Can revoke certificates that can no longer be trusted.

Must have at least Author access with “Create Document” privilege and “User
Creator” role to the Domino Directory.

The main advantage of separating the roles is to off-load these tasks from the
Domino or CA administrator.

If you use the Web Administrator client, the Domino server must be listed as an
RA.

© 2011 IBM Corporation


96
Migrate Notes Certifier to the CA Process 9
● Add your server as an RA
● Click OK

© 2011 IBM Corporation


97
Migrate Notes Certifier to the CA Process 10
● After a few seconds the Success prompt will appear.
● Click “OK”

© 2011 IBM Corporation


98
Migrate Notes Certifier to the CA Process 11
● To start the CA process, open the Domino Admin Client Server Console and
issue the “load ca” command.

© 2011 IBM Corporation


99
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process

2) Managing the CA process


3) Add an Internet Certifier to the CA process
4) Create a Certificate Request database for the Internet Certifier
5) Create a KeyRing.kyr file
6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


100
Commands used to Manage the CA Process
● The most common CA commands are:
● load ca – loads the CA task on the Domino Server
● tell ca refresh – causes the CA task to reload the certifiers list (certifiers will need to
be unlocked or activated again
● tell ca quit – stops the CA task
● tell ca stat – displays summary information about the certifiers including it’s number
● tell ca activate certifier number <password> - activates a specific certifier
● tell ca unlock <path\file.id> <password> - unlocks all certifiers the id protects
● tell ca help – gives a list all of the CA options
● You can also deactivate or lock individual certifiers
● Add the CA task to the ServerTasks= line of your server’s notes.ini so that the
CA task will load at server startup.

© 2011 IBM Corporation


101
Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

• Domino's Certificate Authority (CA) process


 Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 102


Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process

3) Add an Internet Certifier to the CA process


4) Create a Certificate Request database for the Internet Certifier
5) Create a KeyRing.kyr file
6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


103
Add an Internet certifier to the CA Process 1
● Domino Admin client
1) Configuration
2) Tools
3) Registration
4) Internet Certifier

© 2011 IBM Corporation


104
Add an Internet certifier to the CA Process 2
● Select “I want to register a new
internet certifier that uses the CA
process”
● “I have a keyring file I want to
register” would be used if you had an
existing Internet Certifier (R5
Certifier Key Ring) you wanted to
migrate into the CA process
● Click “Ok”

© 2011 IBM Corporation


105
Add an Internet certifier to the CA Process 3
● On the Basics tab of the “Register New Internet Certifier” window. Again lets
use Encrypt certifier ID with the Server ID and click “Create Certifier Name”.

© 2011 IBM Corporation


106
Add an Internet certifier to the CA Process 4
● The Common Name field is
required.
● Again, no abbreviations in the State
or Province field.
● You can see the Certifier Name
being built as you fill in the various
fields.
● Click “Ok”

© 2011 IBM Corporation


107
Add an Internet certifier to the CA Process 5
Certificates Tab
● The “Include CRL distribution point
extension” option, enabled by
default, sets an attribute that
identifies the location of the
Certificate Revocation List (CRL)
● By clicking “Detail” You will see the
location for the CRL will be LDAP on
the Domino server
● “Backdate certificate validity” is also
enabled by default. The time a CA
warrants that it will keep information,
regarding a certificate, is defined as
the certificate validity period.

© 2011 IBM Corporation


108
Add an Internet certifier to the CA Process 5
Certificates Tab continued
● By default a certifier is permitted to
issue certificates for all Key Usage
options.
● The two most common keys are
checked as default:
● Digital Signature
● Used when authenticating data
origin integrity.
● Data Encipherment
● Used when public key is used for
encrypting user data.

© 2011 IBM Corporation


109
Add an Internet certifier to the CA Process 6
● Key Usage defines the purpose of the certificate. You select all or restrict to only
as few usages as necessary.
● Other Standard Key Usages are:

Non-repudiation – used to insure that the sender of a message can not deny having sent
it or the receiver not deny having received it.

Key encipherment – used for data encryption protocol in SSL and S/MIME

Key agreement – used when sender and receiver need to derive or agree on a key
without using encryption, once agreed, this key is then used to encrypt data

Certificate signing – used for verifying a signature on public key certificates

CRL signing – used for verifying a signature on Certificate Revocation List

Encipher only – must be used in conjunction with Key Agreement – the subject public
key may only be used for encrypting data

Decipher only – must be used in conjunction with Key Agreement – the subject public
key may only be used for decrypting data
● Extend keys further refine or restrict the standard key usages.

© 2011 IBM Corporation


110
Add an Internet certifier to the CA Process 7
● Key Usage defines the purpose of the certificate. You select all or restrict to only
a few usages for as necessary.
● Examples of Applications and Required Key Usage:
● SSL Client, S/MIME Signing or Object Signing require “Digital Signature”.
● SSL Server and S/MIME Encryption require “Key Encipherment”.
● Certificate Signing requires “Certificate Signing”.
● Choose the options that match your certificate’s purpose.

© 2011 IBM Corporation


111
Add an Internet certifier to the CA Process 8
● Since we are going to be using
S/MIME add “Key Encipherment” to
the “Default” selection.

© 2011 IBM Corporation


112
Add an Internet certifier to the CA Process 9
On the Misc. tab
1)Click “Create a local copy of the
certifier ID”.
2)Set ID File path and name.
3)Enter the password.
4)Click “OK” the ID file prompt and
again on the “Creating certifier”
dialog box.

In order to have the CA process pick


up the new certifier enter “tell ca
refresh” on the Domino Admin
Server Console.

© 2011 IBM Corporation


113
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process
 Add an Internet Certifier to the CA process

4) Create a Certificate Request database for the Internet


Certifier
5) Create a KeyRing.kyr file
6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


114
Create Certificate Requests database 1
● From the Notes Client choose File – Application - New

© 2011 IBM Corporation


115
Create Certificate Requests database 2
1) Select Server
2) File Name
3) Database Title
4) Choose Template server
5) Show advanced templates
6) Select “Certificate Requests
(8)” certreq.ntf
7) Click “OK”

© 2011 IBM Corporation


116
Create Certificate Requests database 3
● When the database has been created the “About..” document will appear.
● Review the instructions for using the Certificate Request Database.

© 2011 IBM Corporation


117
Create Certificate Requests database 4
● Select the Server and
Certifier from the drop
down list.
● We are going to use
this Certificate
Request database for
both Client and Server
Certificates.
● Set the Validity Period
as deisred for Client
Requests.
● The default Key and
Extended Key Usages
are adequate for our
purposes .

© 2011 IBM Corporation


118
Create Certificate Requests database 5
● Select any other “Key Usage”
keywords to suit your installation.

● These are the “Extended Key


Usage” options.

© 2011 IBM Corporation


119
Create Certificate Requests database 6
Server Request Customization
● Set the Validity Period as
appropriate.
● Again the default Key and Extended
Key Usages can be set as desired.
● If you choose Automatic as the
processing method, another field
“Automatic Transfer Server” will
appear for you to specify the server
running AdminP and to which
requests are to be transferred.
● Mail completed confirmation request
to the requestor “Yes or No”.
● Click “Save & Close”.

© 2011 IBM Corporation


120
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process
 Add an Internet Certifier to the CA process
 Create a Certificate Request database for the Internet Certifier

5) Create a KeyRing.kyr file


6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


121
Create KeyRing.kyr for server-based CA 1
● Open the “Certificate Requests”
database we just created.
● In the “Domino Key Ring
Management folder”.
● Select “Create Key Ring”.

© 2011 IBM Corporation


122
Create KeyRing.kyr for server-based CA 2
● Complete the Create Key Ring form
as we have in the previous
examples

● Click “OK” on the Key Ring Created


prompt when it appears

© 2011 IBM Corporation


123
Create KeyRing.kyr for server-based CA 3

The “Trusted Root” certificate for
the Domino Internet CA will
automatically be installed into the
new KeyRing.kyr file.

Note the CA Certificate information
we entered when we created the
Internet Certifier appears as the
Certificate Issuer in the “Merge
Trusted Root Certificate
Confirmation” dialog box.

Verify the information and Click
“OK”.


Click “OK” on the Certificate
received into key ring and
designated as trusted root prompt.

© 2011 IBM Corporation


124
Create KeyRing.kyr for server-based CA 4

When the “Certificate Request Successfully Created for Key Ring” prompt
appears, click “OK”.

© 2011 IBM Corporation


125
Create KeyRing.kyr for server-based CA 5

A CSR will automatically be created.

Since we selected “Manual” as the
processing method in our Certificate
Request database we must submit
the request to AdminP for
processing.
1) Open the Pending/Submitted
Request view in the Certificate
Request database.
2) Select the request.
3) Click “Submit Selected Requests”.

• Click “OK” on the Successfully


submitted prompt

© 2011 IBM Corporation


126
Create KeyRing.kyr for server-based CA 6
● An authorized
Registration
Authority (RA)
must open the
Administration
Request database
and approve the
request.
1) Certificate
Request view.
2) Open the new
request.

© 2011 IBM Corporation


127
Create KeyRing.kyr for server-based CA 7
● Verify the information.
● Edit the request.
● Click “Approve Request”.

© 2011 IBM Corporation


128
Create KeyRing.kyr for server-based CA 8
● Open the Certificate Requests
database
1) Pending/Submitted Request view.
2) Select the document.
3) Click “Pull Selected Requests”.

● Click “OK” on the Successfully pulled


prompt.

© 2011 IBM Corporation


129
Create KeyRing.kyr for server-based CA 9
● Open your mail file and locate
the “Your certificate request
has been approved” message.
● Copy the pickup ID to your
clipboard.

© 2011 IBM Corporation


130
Create KeyRing.kyr for server-based CA 10
● Alternatively, you can open the
Certificate Request Database.
● Go to the Issued/Rejected
Certificates view.
● Open the Certificate Issued
document.
● Copy the Pickup ID from the
Request ID field.

*Not necessary if you copied it


from the email message.

© 2011 IBM Corporation


131
Create KeyRing.kyr for server-based CA 11
● Open the Certificate Request
database.
● Click “Pickup Key Ring
Certificate”.

© 2011 IBM Corporation


132
Create KeyRing.kyr for server-based CA 12
1) Input the path and name of
your KeyRing.kyr file.
2) Input the password for the
KeyRing.kyr file.
3) Paste the Pickup ID into the
last field.
4) Click “Pickup Certificate”.

● Verify the information on the


“Merge Signed Certificate
Confirmation” prompt.
● Click “OK”.

© 2011 IBM Corporation


133
Create KeyRing.kyr for server-based CA 13
● Click “OK” on the Certificate
received into key ring prompt.

● Copy or FTP the KeyRing.kyr


and KeyRing.sth file to the
Domino\Data directory on your
server.

© 2011 IBM Corporation


๑๓๔
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process
 Add an Internet Certifier to the CA process
 Create a Certificate Request database for the Internet Certifier
 Create a KeyRing.kyr file

6) Set up SSL on the Domino server


7) Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


135
Setup SSL on the Domino Server
● The procedures are the same as
listed for the single server or the
Internet Sites document from
previous examples.
● We are going to Edit the Internet Site
document we used last and replace
the WildKeyRing.kyr with the
DomCAKR.kyr we just created for
Domino Certificate Authority.
● Then issue the “restart task http”
from the Domino Admin Client Server
Console.

© 2011 IBM Corporation


136
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process
 Add an Internet Certifier to the CA process
 Create a Certificate Request database for the Internet Certifier
 Create a KeyRing.kyr file
 Set up SSL on the Domino server

7) Install the Domino Internet Certifier Trusted Root


certificate into your browser

© 2011 IBM Corporation


137
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 1
● Oops – When we browse back to our
server, we get the dreaded “There is
a problem with this website’s security
certificate” error
● This is because ?????

© 2011 IBM Corporation


138
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 2
● The Certificate Authority that we created is not a Trusted Authority in the
browser.

● You can open standard HTTP:// access and send end users a URL link to the
Domino CA Certificate Request database. This database has a built in function
to accept the Domino Certificate Authority as a Trusted Root in their browser as
we are about to see.

© 2011 IBM Corporation


139
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 3
● Browse to the Domino CA
Certificate Request database,
http://hotchilies.spicyssl.com/c
ertreq.nsf
● Select “Accept This Authority
In Your Browser”

© 2011 IBM Corporation


140
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 4
● If the browser displays a warning bar at the top of the window, click on it and
then click “Run Add-on”.

● Click “Run” on the Security Warning.

● You will be returned to the Domino CA Certificate Requests database.


● Click “Accept This Authority In Your Browser” again.

© 2011 IBM Corporation


141
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 5
● Click “Install
Certificate”

© 2011 IBM Corporation


142
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 6
● Click “Yes” on the Potential
Security Violation prompt.

● Click “Yes” on the Security Warning.

© 2011 IBM Corporation


143
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 7
● Verify that the Domino CA
Certificate was installed as a
Trusted Root in your browser.
1) Open browser
2) Click “Tools”
3) “Internet Options”

© 2011 IBM Corporation


144
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 8
● On the “Content” tab
● Select “Certificates”

© 2011 IBM Corporation


145
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 9
● Go to the “Trusted Root
Certification Authorities” tab.
● Scroll through the list and you
should find your Domino CA
Certificate.

* An alternate method of
installing the Domino CA
Trusted Root certificate is
provides as Appendix 1 at the
end of the presentation

© 2011 IBM Corporation


146
Setting up Domino Certificate Authority
 Migrate a Notes Certifier to the CA Process
 Managing the CA process
 Add an Internet Certifier to the CA process
 Create a Certificate Request database for the Internet Certifier
 Create a KeyRing.kyr file
 Set up SSL on the Domino server
 Install the Domino Internet Certifier Trusted Root certificate into your browser

© 2011 IBM Corporation


147
Agenda

 It's a matter of Trust & Security


 Or why Certificates and SSL are necessary
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

 Domino's Certificate Authority (CA) process


 Migrating a Notes Certifier into Domino CA
 Adding a Internet Certifier to the Domino CA

• Secure Email with S/MIME and X.509 Certificates


• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 148


S/MIME and X.509 Certificates for secure
email 1
● Now that we have Domino Certificate Authority setup with an Internet
Certificate, we can create Internet Certificates for our Notes Clients.
● The CA’s Trusted Root Certificate must be in either the Domino Directory or
the client’s contact database (personal address book), however it’s much
simpler for your Notes clients if it’s in the Domino Directory.
● As the Administrator for your domain, you must decide:
● Issue Internet Certificates via the Domino Admin Client? If your primary goal is
S/MIME encrypted email, you can issue Internet Certificates Request for your
Notes clients from the Domino Admin client. The CA will process the request,
add them to the Person Document and automatically import them in Notes ID
files.
● Or do you want to require Client Certificates in the end user’s browser for
additional access control to your Domino servers? This option requires an end
user to submit a request and pickup the signed certificate from the Domino
Certificate Request database and then install the certificate into their browser?
● Or a combination of the two?

© 2011 IBM Corporation


149
S/MIME and X.509 Certificates for secure
email 2
● Administrator adds internet certificates to the Domino Directory:
● The easiest method to accomplish issuing X.509 certificates for email encryption
is for the Domino Administrator to request certificates via the Domino
Administrator client.
● The CA adds the Internet Certificate to the user’s Person Doc in the Domino
Directory.
● When the user authenticates with their home mail server, the Internet
Certificate is automatically merged into the Notes ID file.
● Client Requests Cross Certificate:
● If you want to use browser internet certificates for authentication and SSL
encryption:
● Browse to and request a certificate from the Certificate Request Database.
● An RA approves the request and Domino, the CA processes the request,
submits AdminP request to add the Internet Certificate to the person
document in the Domino Directory. The CA emails the end user a pickup ID
and then the end user installs the certificate into their browser.
● The client merges the Certificate into their Notes ID file.

© 2011 IBM Corporation


150
S/MIME and X.509 Certificates for secure
email 3
Administrator Issues Internet
Certificate to the Person
Document
● Be sure the Domino CA
process is setup and running
● Open the Domino Admin
Client
1) People & Groups Tab
2) People
3) Select names to receive
Internet Certificates

© 2011 IBM Corporation


151
S/MIME and X.509 Certificates for secure
email 4
● From the Menu Bar
1. Click “Actions”
2. Choose “Add Internet Cert to
Selected People”.

© 2011 IBM Corporation


152
S/MIME and X.509 Certificates for secure
email 5
● Choose a Certifier prompt box
1) Select your registration
server.
2) Select “Use the CA
Process”.
3) Select your Internet
Certificate as the “CA
configured certifier”.
4) Click “OK”.

© 2011 IBM Corporation


153
S/MIME and X.509 Certificates for secure
email 6
• Review the Information in the
Add Internet Certificate to
Selected Entries box and
click “Certify”.

• Click “OK” on the Processing


Statistics prompt.

© 2011 IBM Corporation


154
S/MIME and X.509 Certificates for secure
email 7
● A Certificate Request is added to the AdminP database for each person
selected.

© 2011 IBM Corporation


155
S/MIME and X.509 Certificates for secure
email 8
● When the CA processes the Certificate Request, it then creates a “Store
Certificate in Domino or LDAP Directory” request in the AdminP database.

© 2011 IBM Corporation


156
S/MIME and X.509 Certificates for secure
email 9
● After a replication cycle completes to the user’s mail server, and the user
accesses their mail file, Lotus Notes sees that there is an Internet Certificate
available in their Person Document and automatically downloads it to their
Notes ID file.

© 2011 IBM Corporation


157
S/MIME and X.509 Certificates for secure
email 10
● To View the Internet Certificate
Information in your Notes ID.
1) File
2) Security
3) User Security

● Enter Your Password and click


“Log In”.

© 2011 IBM Corporation


158
S/MIME and X.509 Certificates for secure
email 11
● Expand “Your Identity” – Select “Your Certificates” – Choose “Your Internet
Certificates” to view your Internet Certificate information.

© 2011 IBM Corporation


159
S/MIME and X.509 Certificates for secure
email 12
● Now the you have an Internet Certificate, how do you go about exchanging
Secure Email with someone else?
● You have to Cross Certify and swap public keys with the other person.
● You do this by sending each other a “Signed” email. The signature contains
your public key information.
● Each must store the other’s public key in their Contact database (Personal
Address Book) by “Adding Sender to Address Book”.
● Then you can send and receive S/MIME encrypted emails.

© 2011 IBM Corporation


160
S/MIME and X.509 Certificates for secure
email 13

John.doe@xyzcom
● Create and Sign an email to
your associate.
● After creating the message
select:
1) Delivery Options
2) Sign
3) OK
4) Send

© 2011 IBM Corporation


161
S/MIME and X.509 Certificates for secure
email 14
● When your associate opens
the email, they will be
prompted to “Cross Certify”
with the certificate contained
John Doe/XYZ
in your signature.
● Notice that it is your ID that is
doing the cross certification.
● And the server to contain the
certificate will be the “Local”
names.nsf.
● Click “Cross certify”.

© 2011 IBM Corporation


162
S/MIME and X.509 Certificates for secure
email 15
● Your associate will need to
add or update the information
in their Contact database by:
● Clicking on “More”
● Add Sender to Contacts
● If they are already in your
Contacts, you will be
prompted to replace the
contact record that is there.

● Be sure “Include X.509


certificates when
encountered” is checked.
● Click “OK”

© 2011 IBM Corporation


163
S/MIME and X.509 Certificates for secure
email 16
● You will receive a “Contacts
successfully updated” prompt.
Click “OK”

Your associate must send you a


signed message so that you
can cross certify with their
Internet Certificate.
Once you have both Cross
Certified and have stored
each other’s public key in your
Contacts databases, you can
send and receive S/MIME
encrypted email to each other.

© 2011 IBM Corporation


164
S/MIME and X.509 Certificates for secure
email 17
● When you receive an encrypted email, your Notes client will automatically
decrypt the message when opened.
● The status bar at the bottom of your Notes client will display “Decrypting
document…”.

John Doe/XYZ

John Doe/XYZ

© 2011 IBM Corporation


165
S/MIME and X.509 Certificates for secure
email 18
● Little Bug….
1) Server Configuration
Document
2) MIME
3) Advanced
4) Advanced Outbound
Message
5) RFC822 Phrase Handling
● If this is set to “Use CN as
phrase” for friendly email reply
addresses, and you are
sending your public key to a
Notes client at another
company, they will have
issues adding your public key
to their Contact database.

© 2011 IBM Corporation


166
Agenda

 It's a matter of Trust & Security


 Or why Certificates and SSL are necessary
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

 Domino's Certificate Authority (CA) process


 Migrating a Notes Certifier into Domino CA
 Adding a Internet Certifier to the Domino CA
 Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 167


Agenda

 It's a matter of Trust & Security


 Or why Certificates and SSL are necessary
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

 Domino's Certificate Authority (CA) process


 Migrating a Notes Certifier into Domino CA
 Adding a Internet Certifier to the Domino CA
 Secure Email with S/MIME and X.509 Certificates
 Q&A
• Don't forget your evaluations

© 2011 IBM Corporation 168


Links for more information
● http://en.wikipedia.org/wiki/Transport_Layer_Security
● http://www.redbooks.ibm.com/abstracts/redp0046.html?Open
● http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-
revised2_Mar08-2007.pdf (page 66)
● Frequently Asked Questions: Using SSL with Notes and Domino
● http://www-01.ibm.com/support/docview.wss?uid=swg21218820

© 2011 IBM Corporation


169
Legal Disclaimer
© IBM Corporation 2011. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without
warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of
the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors,
or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change
at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor
shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

All references to Spicy SSL refer to a fictitious company and are used for illustration purposes only.

© 2011 IBM Corporation 170


Appendices

• Appendix 1
• Install the Domino CA Certifier Trusted Root Certificate Alternate
Method
• Appendix 2
• Requesting, Processing & Installing a Client Certificate from a Domino CA Single
Host
• Appendix 3
• Export a X.509 Certificate from your browser and Import into your Notes ID

© 2011 IBM Corporation 171


Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 1
● Click “Continue to the website
(not recommended)”.

● Then click on the “Certificate


Error” in the browser bar

© 2011 IBM Corporation


172
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 2
● The Untrusted Certificate
explanation will appear.

● Click “View certificates”.

© 2011 IBM Corporation


173
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 3
● Go to the “Certification Path”
tab
● Notice at the bottom of the
prompt box:
“This CA Root certificate is not
trusted because it is not in the
Trusted Root Certification
Authorities store.”
• Double click on the Certificate
Authority name – NOT the
server name

© 2011 IBM Corporation


174
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 4
● Click “Install Certificate”.
● The Certificate Import Wizard
will launch.
● Click “Next”.

© 2011 IBM Corporation


175
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 5
1) Select “Place all certificates
in the following store”.
2) Click “Browse”.
3) Select “Trusted Root
Certification Authorities”.
4) Click “OK”.

© 2011 IBM Corporation


176
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 6
● Click “Next”.

● Then click “Finish”.

© 2011 IBM Corporation


177
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 7
● Click “Yes” on the Security
Warning prompt.

● Click “OK” on The import was


successful prompt.

© 2011 IBM Corporation


178
Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 8
● Close and re-launch your browser. When you browse to your server this
time you should no longer receive a security warning. You should see the
Lock Icon and be prompted for your user name and password.

© 2011 IBM Corporation


179
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 1
● Whether you are requesting a Client Certificate from a 3rd Party CA or a Domino
CA, the procedures are basically the same.
1)Browse to the CA’s website.
2)Request a Client Certificate.
3)The CA will process the Certificate Request.
4)The CA will notify you via email that the certificate is ready for pickup.
5)Browse to the CA’s Pickup site.
6)Paste in the Pickup ID.
7)Install the trusted root and signed certificate into your browser.

© 2011 IBM Corporation


180
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 2
● Browse to your Domino CA’s
Certificate Request database
● Select “Request Client
Certificate”

© 2011 IBM Corporation


181
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 3
● Complete the “Client
Request Form”.
● Remember – No
abbreviations in
State/Province field.
● Domino defaults to a “High
Grade” Key for client
certificates.
● Submit Certificate Request.

● “Certificate Request Has


Been Submitted” will
display on success.

© 2011 IBM Corporation


182
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 4
● The next 3 Procedures are
performed by the Registration
Authority (RA)
1) Open Certificate Request
database
2) Pending/Submitted Request view
3) Select appropriate document(s)
4) Click “Submit Selected Requests”

© 2011 IBM Corporation


183
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 5
1) Admin Request
database
2) Certificate Request view
3) Open New Request
document

© 2011 IBM Corporation


184
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 6
● Click “Edit Request”

● Click “Approve Request"

© 2011 IBM Corporation


185
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 7
1) Return to Certificate
Request database
2) Pending/Submitted
view
3) Click “Pull Selected
Requests”

● Click “OK”

© 2011 IBM Corporation


186
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 8
● The client receives an email with the pickup ID.
● Copy the pickup ID to your clipboard.

© 2011 IBM Corporation


187
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 9
● Browse back to the Certifciate
Request application
● Click “Pick Up Client
Certificate”

© 2011 IBM Corporation


188
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 10
● Paste the Pickup ID into the
Pickup ID field
● Click “Pick Up Client
Certificate”

● Click “Install Certificate”

© 2011 IBM Corporation


189
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 11
● Click “OK’

© 2011 IBM Corporation


190
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 1
● Once a certificate has been
installed into your browser, you can
Export the certificate and then
Import it into your Notes ID file to be
used for S/MIME Secure Email.
● I will be exporting and importing a
VeriSign Personal Certificate in this
example.
● Open your browser and select
1) Tools
2) Internet Options

© 2011 IBM Corporation


191
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 2
● On the “Content” tab

● Click “Certificates”

© 2011 IBM Corporation


192
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 3
● On the “Personal” tab
● Select the certificate
● Click “Export”
John Doe

© 2011 IBM Corporation


193
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 4
● The “Certificate Export Wizard” will
launch.

● Select “Yes” to export the private


key
● Click “Next”

© 2011 IBM Corporation


194
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 5
● Select “Personal Information
Exchange – PKCS #12(.PFX) as
the format.
● Be sure to select “Include all
certificates in the certification path if
possible”
● Click “Next”

NOTE: If you fail to select “Include all


certificates in the certification path if
possible”, you will get the error to
the right when you try to import your
certificate into your Notes ID.

© 2011 IBM Corporation


195
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 6
● Input and confirm a password to
protect your private key.
● Click “Next”

● Select the folder


● Input a file name Johncert

● Click “Save”
© 2011 IBM Corporation
196
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 7
● Click “Next”

\JohnCert.pfx

\JohnCert.pfx

● Review the information


● Click “Finish”

© 2011 IBM Corporation


197
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 8
● Click “OK” on the Exporting your
private exchange key prompt.

● Click “OK” on the Export successful


prompt.

© 2011 IBM Corporation


198
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 9
● Open you Notes Client
● File
● Security
● User Security

● Input your password

John Doe

© 2011 IBM Corporation


199
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 10
1) Expand Your
Identity
2) Your
Certificates
3) Your Internet
John.Doe@SpicySSL.com Internet Cert
Certificates
4) Get
Certificates

John.Doe@SpicySSL.com John.Doe@SpicySSL.com

Internet Cert

© 2011 IBM Corporation


200
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 11
● Select “Import Internet Certificates”

\JohnCert.pfx

● Browse to the .pfx file you just


exported.
● Click “Open” \JohnCert.pfx

© 2011 IBM Corporation


201
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 12
● Select “PKCS 12 encoded”
● Click “Continue”

● Input the password used when you


exported the key.
● Click “OK”

© 2011 IBM Corporation


202
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 13
● Review the certificates contained in the file and select “Accept All”.

John.Doe@SpicySSL.com

John.Doe@SpicySSL.com John.Doe@SpicySSL.com

© 2011 IBM Corporation


203
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 14
● Input your Notes password
John Doe/SpicySSL
● Click “Log In”

● Click “OK”

© 2011 IBM Corporation


204