lotusphere 2011 show104
TRANSCRIPT
SHOW104
2011 IBM Corporation
SHOW104
Crispy Certificates with
Spicy SSL Salsa
Tom Truitt | Sr IT Specialist | WorkFlow Studios
2011 IBM Corporation
Legal
This slide presentation may contain the following copyrighted, trademarked, and/or restricted terms:
IBM Lotus Domino, IBM Lotus Notes, IBM Lotus Symphony, LotusScript
Microsoft Windows, Internet Explorer, Microsoft Office
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Symantec Corporation, VeriSign, Inc., Thawte, Inc., GeoTrust, GoDaddy.com, Inc.
2011 IBM Corporation
Legal Disclaimer
IBM Corporation 2011. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMs current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.All references to Spicy SSL refer to a fictitious company and are used for illustration purposes only.
2011 IBM Corporation
Session Goals
Learn what SSL and X.509 certificates are, and why you use them.
Learn what a Wildcard certificate is and how it potentially saves your organization money and maintenance hassle.
Learn the difference between self-certifying and using a 3rd Party certificate authority and why you'd want to pay for the 3rd Party.
Learn how to send and receive encrypted email for secure communications.
Learn the step-by-step process of setting up all of these certificate types in your Domino environment.
2011 IBM Corporation
Assumptions
You have installed and have working knowledge of the Lotus Notes Administration Client.
You have Create Database privileges in your Domino environment.
You have at least Editor access to the Domino Directory with NetCreator and UserCreator roles.
Your Notes Client Location Document must be set for server based mail, not local, otherwise you will receive errors when creating or modifying certificates.
2011 IBM Corporation
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
It's a matter of Trust & Security
Who do you trust?
How do you verify that you are connected to a server that is actually at a particular business or site?
Certificates validate identity. Like a company badge to get into your office or a driver's license or passport to get through security at the airport.
Who would eavesdrop on the Internet Party Line?
Standard Internet communications, i.e. HTTP, SMTP are simple text transmission protocols.
If someone intercepts traffic, there is nothing to prevent reading all the content of that communication.
With encryption, one end of the communication encrypts the traffic, and the other end decrypts it.
Certificates provide the keys in the encryption process.
2011 IBM Corporation
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
Definitions to keep in mind
Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
Public Key Infrastructure (PKI)
Certificate Authority (CA)
Certificate Signing Request (CSR)
X.509 Digital Certificate or Public Key Certificate (PKC)
2011 IBM Corporation
Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
SSL & TLS are cryptographic* protocols that provide encrypted communications securely over the Internet.
SSL, originally developed by Netscape, is widely used to do two things:
Validate the identity of a Web site
Encrypt the connection for sending personal data over the internet
TLS security protocol defined by the Internet Engineering Task Force (IETF) is based on SSL 3.0. TLS uses digital certificates to authenticate the user as well as authenticate the network.
The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange.
Look for the Lock icon in you browser. If the lock is closed you are on a secure SSL or TLS connection.
*Cryptography is the process of converting data into a secret code for transmission. In other words Plain Text is converted into a secret code via an encryption algorithm.
2011 IBM Corporation
2011 IBM Corporation
Typical SSL Handshake Negotation Process
The two sides acknowledge each other and the browser sends a list of algorithms it supports and a random number to the web server.
The server returns Use this algorithm it's random number and digital certificate.
The browser verifies that it trust's the server's certificate and extracts the server's public key. It then uses that public key to encrypt a pre-master key and sends it to the server.
Both client and server use the pre-master key and exchanged random numbers to generate the secret keys for the rest of the session and exchange checksums.
2011 IBM Corporation
Public Key Infrastructure (PKI)
A framework for creating a secure method of exchanging electronic information based on public key cryptography.
The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.
PKIs are based on the public/private key pair of the CA's Root Key.
The subject's public key, known to everyone, is used to encrypt data.
The private or secret key is used to decrypt received data.
If the private key of the CA's Root Key is ever compromised, all the digital certificates created by that CA are vulnerable.
The Key Size defines how hard the private key is to decode. The higher the key size the harder it is to break the code.
Common RSA Key Sizes are:
512, 1024 and 2048
2011 IBM Corporation
Certificate Authorities (CA)s
As stated above, The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.
There are two types of CAs:
Trusted 3rd Party or Commercial CAs which charge to issue certificates. Their Trusted Root certificates are included in most internet browsers.
Think of a passport issued by your country's passport authority.
Self Signed or Closed System where your company is it's own CA. You control the Root Certificate for the organization.
Think of your company issued ID badge that lets you into your office building.
2011 IBM Corporation
Trusted 3rd Party Certificate Authorities (CA)s
Over 300 Trusted CAs are included in Internet Explorer on Windows XP.
Most browsers already trust these authorities, so end user configuration is not required.
If the certifier is pre-configured as trusted in the email system, external mail client configuration is reduced.
Overall, the cost of supporting a 3rd Party System can be less than that of a Closed System.
Examples of 3rd Party CAs:
VeriSign, recently acquired by Symantec, has long been highly trusted by consumers. VeriSign also owns GeoTrust and Thawte; combined they make up the largest CA group*.
Go Daddy has grown rapidly over the last few years due to their aggressive pricing model and holds the number two position per netcraft.com
Many other Trusted 3rd Party CAs are listed at the site below
* https://ssl.netcraft.com/ssl-sample-report//CMatch/certs
2011 IBM Corporation
Self Signed or Closed System (CA)s
You or your organization control all certificates including the Root Certificate.
You control who you issue certificates to.
Think of Photos on ID badges.
You manage the certificate structure, naming, validation and expiration.
The major problem with a Closed CA, is it requires equipment and personnel to manage the process and configure end user workstations.
Think of your Security Department that take photos and issue Corporate Security badges.
2011 IBM Corporation
Certificate Signing Request (CSR)
A CSR is an application submitted to a CA for a computer or individual to obtain a digital certificate.
The request includes information identifying the applicant and the public key that is generated from a public/private key pair.
2011 IBM Corporation
X.509 Digital Certificate
AKA Digital ID or Public Key Certificate (PKC)
X.509 is an International Telecommunications Union Transmission (ITU-T) standard for public key infrastructure (PKI). It specifies standard formats for public key certificates, certificate validation and certificate revocation lists.
Digital Certificates are issued by a CA after the CA has verified that the public key belongs to a specific subject.
A Digital Certificate contains both CA and subject information including the subject's public key. The CA signs the certificate by creating a digest of all the fields in the certificate and then encrypts the digest with it's private key.
The encrypted digest is called a digital signature, and when placed into the X.509 certificate, the certificate is said to be signed.
It's the digital equivalent of your ID card, driver's license or passport.
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
Choosing your 3rd Party CA & Certificate
There are literally hundreds of 3rd Party CAs.
Things to consider when selecting you 3rd Party CA are:
What type of transactions will this server be handling?
Online commerce sites should have the strongest level of encryption and assurance that you can afford.
In-house, training and utility servers might be able to use a less costly certificate.
Issuance Speed
SSL Certificate Warranty
Website Security Seals
Customer Support
It's really up to you to determine the best vendor for your needs. The SSL Certificate (assuming the same Key Strength) will technically work the same whether it is created by a Self Signed CA or a premium certificate from a well known CA. The difference is really perception and marketing.
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
Creating a KeyRing.kyr file 1
Create a New Folder off the root of your C:\ drive with a short folder name. My suggestion is C:\SSL (You will be typing this path several times in the near future)
2011 IBM Corporation
Creating a KeyRing.kyr file 2
From your Notes Client,
Select File
Open
Lotus Notes Application
LS11 Windows 7.jpgLook in Your Server
Select Server Certificate Admin (certsrv.nsf)
Click Open Certificate Admin 3. Click Open
LS11 Windows 7-1.jpg
2011 IBM Corporation
Creating a KeyRing.kyr file 3
When the application opens, select 1. Create Key Ring
2011 IBM Corporation
Creating a KeyRing.kyr file 4
Type the full path and file name it must end with .kyr
Input and confirm the password.
Click on the Key Size drop down.
LS11 Windows 7-2.jpg
2011 IBM Corporation
Key Size 5
The larger the key size, the greater the encryption strength and therefore the less likely a brute force attack will be able to decipher the key.
Given the advances in computing power, some believe that it will be possible to break a 1024-bit key in the near future.
Some 3rd Party CAs will not accept a CSR with less than 2048 key size any longer, and others are currently in the process of phasing out their lower sized certificates.
Keep in mind this could cause issues when you try to renew existing certificates of lower key strength, in which case you will be required to create a new Key Ring file and CSR for your servers.
The National Institute of Standards and Technology (NIST) of the US Government recommends certificates after 2010 should be of at least 2048 bit key length.
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
Beware - some older browsers can not support the new 2048 bit keys.
2011 IBM Corporation
Creating a KeyRing.kyr file 6
Select 2048 as the Key Size
2011 IBM Corporation
Creating a KeyRing.kyr file 7
Complete the required and optional fields.
Common Name (DNS Server Name)
Organization and Optional fields
NO ABBREVIATIONS in State or Province field,
2 character country code
Click Create Key Ring
LS11 Windows 7-4.jpgXYZ Company
2011 IBM Corporation
Creating a KeyRing.kyr file 8
The KeyRing file name can be anything you want but it must end with .kyr extension.
Write down the password of the KeyRing.kyr file, put it in a sealed envelope and store it in a safe place. You are going to need the password again when it comes time to renew the certificate.
If you are getting a single server certificate the Common Name is the URL name to which the server responds. A simple 1 character mistake will cause an invalid name prompt when the certificate is presented to the browser.
The Organization (and optional Organization Unit) fields must be completed as accurately as possible with the legal name of the company.
Use the City and State of the Organizations address and NO ABBREVIATIONS in the State or Province name.
Enter the standard 2 Character Country code for your country.
This information will be verified by your CA, is included in the Digital Certificate and will be presented to every browser that contacts your server, so it's important to have it correct when you create your KeyRing.kyr file.
2011 IBM Corporation
Creating a KeyRing.kyr file 9
The Key Ring Created prompt will display - Click OK
XYZ Company
2011 IBM Corporation
Creating a KeyRing.kyr file - end
You need to create an account at your 3rd Party vendor.
You need to purchase an SSL Certificate and know your vendor's procedures for submitting a CSR.
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 1
Open the Server Certificate Admin notes database (The same one we used to create the KeyRing.kyr file)
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 2
Click 2. Create Certificate Request
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 3
Type the path and name of the .kyr file
Select Paste into form on CA's site
Click Create Certificate Request
LS11 Windows 7-5.jpg
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 4
1. You will be prompted for the KeyRing password - 2. click OK
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 5
The Certificate Request will look as depicted below. Copy from the first dash (-)
XYZ Company
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 6
To the end of the last dash ()
Ctrl +C to copy into your paste buffer.
XYZ Company
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 7
Open Notepad and Paste the CSR into the notepad document, just in case you accidentally copy something else before you complete the 3rd Party CSR.
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) 8
Click OK on the Certificate Request Created window.
XYZ Company
2011 IBM Corporation
Creating a Certificate Signing Request (CSR) end
You are now ready to browse to your 3rd Party CA and complete your CSR.
Follow the instructions for requesting a certificate for your 3rd Party CA
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
You will receive an email from your 3rd Party CA when your SSL Certificate is complete
In most instances you will need to download your SSL Certificate from their site.
2011 IBM Corporation
Steps for configuring your Domino server with a Third-Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
There must be a Trusted Root Certificate for your 3rd Party CA in the server's KeyRing.kyr file
The CAs listed on the left are automatically included and therefore trusted in a newly created Domino KeyRing.kyr file.
If your CA is not included in the list, their Trusted Root Certificate will need to be imported.
Note: There is a VeriSign Intermediate CA included. It may or may not be the correct one for your certificate.
Many CAs will now require an Intermediate Certificate as well as their Trusted Root.
Check your 3rd Party CA documentation for Intermediate Certificate requirements.
2011 IBM Corporation
Trusted Root & Intermediate Certificates 2
Some CAs include their Trusted Root and Intermediate certificates in a bundle or .zip file along with your signed Digital Certificate.
If they are not, include follow the vendor's instructions and download them.
Place them in your C:\SSL subdirectory.
2011 IBM Corporation
Trusted Root & Intermediate Certificates 3
I normally double click to open the .crt files and leave them open on my desktop so I can get the name correct when I install them into the KeyRing.kyr file.
2011 IBM Corporation
Trusted Root & Intermediate Certificates 4
Open the Server Certificate Admin database
2011 IBM Corporation
Trusted Root & Intermediate Certificates 5
Select 3. Install Trusted Root Certificates into Key Ring
2011 IBM Corporation
Trusted Root & Intermediate Certificates 6
Input the path and file name of your KeyRing.kyr file.
Type the Certificate Label that will appear when you choose View & Edit Key Ring (why I keep it open on the desktop).
Select File or Clipboard as Source.
If File, input the path and file name to the retrieved signed certificate.
If Clipboard, paste into provided field.
Base 64 encoding is the most common format unless your vendor specifies otherwise in their documentation.
Click Merge Trusted Root Certificate into Key Ring.
LS11 Windows 7-4-1.jpg
2011 IBM Corporation
Trusted Root & Intermediate Certificates 7
You will be prompted for the Key Ring password then click OK
2011 IBM Corporation
Trusted Root & Intermediate Certificates 8
Click OK on the Merge Trusted Root Certificate Confirmation.
2011 IBM Corporation
Trusted Root & Intermediate Certificates 9
Click OK on the Certificate received into key ring and designated as trusted root prompt.
2011 IBM Corporation
Trusted Root & Intermediate Certificates end
Intermediate Certificates
If your CA requires an Intermediate Certificate, follow the exact same steps as installing a Trusted Root Certificate.
Of course you would use a different Certificate Label and file name.
If you get a prompt like the one on the left while installing your Signed Server Certificate, it indicates that you are missing an Intermediate Certificate.
LS11 Windows 7-7.jpg
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
Install Server Certificate into Key Ring 1
Open the Server Certificate Admin database and Click 4. Install Certificate into Key Ring
2011 IBM Corporation
Install Server Certificate into Key Ring 2
Input the path and file name of your KeyRing.kyr file.
Select File or Clipboard as Certificate Source as appropriate.
Depending on you choice.
If File, input the path and file name to the retrieved signed certificate.
If Clipboard, paste into provided field.
Click Merge Certificate into Key Ring.
LS11 Windows 7.jpg
2011 IBM Corporation
Install Server Certificate into Key Ring 3
Input the Key Ring password and click OK
2011 IBM Corporation
Install Server Certificate into Key Ring 4
Click OK on the Merge Signed Certificate Confirmation prompt
2011 IBM Corporation
Install Server Certificate into Key Ring end
Click OK on the Certificate received into key ring prompt
2011 IBM Corporation
Configuring your Domino server with a 3rd Party SSL Certificate
Choosing your 3rd Party CA
Create a KeyRing file
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
2011 IBM Corporation
Copy the KeyRing.kyr and KeyRing.sth file to your servers Domino\Data directory 1
When you create a KeyRing.kyr file a .sth file of the same name which contains the password for the associated .kyr file is also created.
Browse to the C:\SSL subdirectory and copy BOTH the .kyr and .sth files.
2011 IBM Corporation
Copy the KeyRing.kyr and KeyRing.sth file to your servers Domino\Data directory 1
Paste the KeyRing.kyr and KeyRing.sth files into your servers Domino\Data directory.
2011 IBM Corporation
Setup SSL on the Domino Server 1
From Domino Administrator Client
Configuration tab
Server Current Server Document
Edit Server
Note: Load Internet configuration from Server\Internet Sites documents = Disabled
This example assumes you are NOT using Internet Sites documents.
Using Internet Sites documents will be explained in the Wildcard SSL section.
2011 IBM Corporation
Setup SSL on the Domino Server 2
Go to 1. Ports 2. Internet Ports 3. Input the name of your KeyRing.kyr file
2011 IBM Corporation
Setup SSL on the Domino Server 3
Scroll to the bottom of the page
Port 80 (standard port)
TCP/IP port Status
Redirect to SSL will automatically switch a user to SSL when they browse to the server without typing HTTPS:// at the beginning of the URL
Enforce server access settings
Select Yes to have the server honor Security Access settings on the security tab of the server document
Enable SSL port status
Choose No for the Client certificate option (we havent issued any client certificates)
Save and Close
2011 IBM Corporation
Setup SSL on the Domino Server 4
Restart the HTTP Server Task
Domino Admin Client Server Console
Issue the command
restart task http
2011 IBM Corporation
Test new SSL Setup 1
Open your internet browser
Enter the URL for your server
Example:
http://hotchilies.spicyssl.com/names.nsf
You will be prompted for your name and password if you did not allow anonymous access.
2011 IBM Corporation
SSL Setup Complete
Note: Because we selected Redirect to SSL you will be automatically switched to SSL (https://)
The Browser does not display any error prompts.
The Lock Icon displays.
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
Wildcard SSL Certificate 1
Lets suppose we have set up DNS entries for hotchilies.spicyssl.com and for inotes.spicyssl.com both pointing to the same server.
When we browse to hotchilies.spicyssl.com everything is fine.
But when we browse to inotes.spicyssl.com
We get: There is a problem with this websites security certificate.
This is because the certificate was issued to hotchilies not inotes.
LS11 Windows 7-5.jpgLS11 Windows 7-6.jpg
2011 IBM Corporation
Wildcard SSL Certificate 2
What is a Wildcard SSL Certificate?
Secures multiple first-level sub-domains (Internet Sites or Servers) as long as they end with the same domain name.
Example:
www.spicyssl.com
hotchilies.spicyssl.com
inotes.spicyssl.com
traveler.spicyssl.com
quickr.spicyssl.com
Most browsers won't work with a Wildcard SSL Certificates of more than one level. In other words a Wildcard Certificate for *.spicyssl.com will not work for inotes.mail.spicyssl.com or best.recipe.for.spicyssl.com.
2011 IBM Corporation
Wildcard SSL Certificate 3
Advantages:
Can result in big savings if you have more than 3 or 4 sites to secure.
Easier to manage especially when it comes time for renewals.
Disadvantages:
If one server is compromised then all the others using that certificate are vulnerable.
Some mobile device operating systems may not recognize the wildcard character (Windows Mobile 5 for example).
3rd Party CAs have offer different options:
Some allow you to create as many new or sub wildcard certificates (with the same domain name) as needed, each with a unique private key, making them just as secure as a single server certificate.
Some 3rd Party vendors limit the number of use instances of a Wildcard SSL certificate.
Read the License agreements of your CA to be sure you comply with their requirements.
2011 IBM Corporation
Wildcard SSL Certificate 4
The process of setting up a Domino Server to use a Wildcard SSL Certificate is the same as a single server certificate.
Choose your 3rd Party CA
Create a KeyRing file*
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL
*The difference is when you create the KeyRing.kyr file.
Enter *.spicyssl.com or *.yourdomain.com as the Common Name in the Distinguished Name section.
The Domain owner will likely receive an email requesting verification of Wildcard CSR before issuing the certificate.
2011 IBM Corporation
Creating a Wildcard KeyRing.kyr file 5
Open the Server Certificate Admin database
Create a new KeyRing.kyr file
Give the file a different name
Example:
C:\SSL\WildSpicySSL.kyr
Complete the Create Key Ring document as we did before with ONE exception, the Common Name Field
Use *.spicyssl.com (or *.yourdomain.com)
XYZ Company
2011 IBM Corporation
Creating a Wildcard KeyRing.kyr file 6
As long as you are sure you have entered a new Key Ring File Name,
Click on OK if you receive a WARNING prompt like the one to the left.
Click OK on the Key Ring Created prompt
XYZ Company
2011 IBM Corporation
Wildcard SSL Certificate 7
Follow the remaining procedures as we did for setting up SSL on a Single Server
Creating a Certificate Signing Request (CSR)
Retrieve SSL Certificate from Vendor
Trusted Root and Intermediate Certificates
Install Server SSL Certificate
Setup Domino Server for SSL but this time well use Internet Sites documents
2011 IBM Corporation
Wildcard SSL Certificate 8
Note the SubjectOrg and SubjectCommonName on the Signed Wildcard Certificate is *.spicyssl.com (Step 6 Install Server SSL Certificate above).
LS11 Windows 7-8.jpg
2011 IBM Corporation
Configure Internet Sites with SSL 9
Enable Internet Sites Documents
Edit the Server Document
Basics tab
Enable Load Internet configurations from Server\Internet Sites documents
Save and Close the server Document
LS11 Windows 7-9.jpg
2011 IBM Corporation
Configure Internet Sites with SSL 10
Add a Web Internet Site Document
Domino Admin Client
Configuration Tab
Web
Internet Sites
Add Internet Site
Web
LS11 Windows 7-12.jpg
2011 IBM Corporation
Configure Internet Sites with SSL 11
Complete the Basic Tab
Descriptive name for this site
Organization
Is this the Default Internet Site?
LS11 Windows 7-10.jpg
2011 IBM Corporation
Configure Internet Sites with SSL 12
Define this site Home URL on the Configuration Tab
LS11 Windows 7-13.jpg
2011 IBM Corporation
Configure Internet Sites with SSL 13
Security Tab
Redirect TCP to SSL
Require Name & Password for SSL Authentication
Enter the name of your WildKeyRing.kyr in the SSL Options section
Save and Close the document
LS11 Windows 7-14.jpg
2011 IBM Corporation
Wildcard SSL Certificate 14
Copy the WildKeyRing.kyr and WildKeyRing.sth files to the Domino servers data directory.
Open the Admin Client Server Console and enter the command Restart task HTTP.
2011 IBM Corporation
Wildcard SSL Certificate 15
Now when we browse to inotes.spicyssl.com/redirect.nsf:
We no longer get a SSL Certificate Error.
We are prompted for a user name and password.
LS11 Windows 7-16.jpgLS11 Windows 7-17.jpgWhen we click on the lock icon:
We see the site is identified as:
inotes.spicyssl.com
The connection to the server is encrypted.
2011 IBM Corporation
Wildcard SSL Certificate 16
By clicking View Certificate we see that the certificate was issued to:
*.spicyssl.com
LS11 Windows 7-18.jpg
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
Dominos Certificate Authority (CA) process
The Domino CA process can issue both Notes ID and Internet Certificates and runs as an automated process on your Domino server.
It allows you to off-load the tasks of Notes ID creation and Certificate issuing to others without giving them your certifier ids and passwords.
Internet certificate request are processed more easily.
Maintains Issued Certificate Lists (ICL) and revocation lists.
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 1
Domino Admin client
Configuration Tab
Tools
Certification
Migrate Certifier
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 2
Click Select
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 3
Browse to the certifier being migrated and click Select
LS11 Windows 7-2.jpg
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 4
Click OK
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 5
Input certifier password and click OK
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 6
The next slides explain the options on this page.
LS11 Windows 7-3.jpg
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 7
Migrate Certifier Options
Select the server on which the certifier will run.
It is suggested that you leave the default path and name of the ICL database.
How this certifier is protected:
Encrypt Certifier ID with Server ID
This will encrypt the certifier with the servers ID. No additional password or action will be required to use this certifier. You can isolate your CA server and add a password to the server ID for added security.
Require password to activate
More secure but requires that you issue the tell ca activate command after loading the CA task.
Locking ID
High security, if you use this option, I recommend creating a special id. Keep in mind password expiration or Notes certificate expiration will cause issues. This option requires that you issue the tell ca unlock command on the server console.
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 8
Migrate Certifier Options
Certificate Authority Administrator (CAA)
A CAA can create and modify certifiers deployed in the Domino CA.
Only a CAA can edit the Password recovery information in a certifier.
The CAA can also add and edit the roles assigned to others.
A CAA must have at least Editor access to the Domino Directory.
Best Practice is to assign at least 2 CAAs to each certifier.
Registration Authority (RA)
Approves or denies Notes or Internet certificate requests.
Can revoke certificates that can no longer be trusted.
Must have at least Author access with Create Document privilege and User Creator role to the Domino Directory.
The main advantage of separating the roles is to off-load these tasks from the Domino or CA administrator.
If you use the Web Administrator client, the Domino server must be listed as an RA.
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 9
Add your server as an RA
Click OK
LS11 Windows 7-4.jpgLS11 Windows 7-5.jpg
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 10
After a few seconds the Success prompt will appear.
Click OK
LS11 Windows 7-6.jpg
2011 IBM Corporation
Migrate Notes Certifier to the CA Process 11
To start the CA process, open the Domino Admin Client Server Console and issue the load ca command.
LS11 Windows 7-40.jpg
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Commands used to Manage the CA Process
The most common CA commands are:
load ca loads the CA task on the Domino Server
tell ca refresh causes the CA task to reload the certifiers list (certifiers will need to be unlocked or activated again
tell ca quit stops the CA task
tell ca stat displays summary information about the certifiers including its number
tell ca activate certifier number - activates a specific certifier
tell ca unlock - unlocks all certifiers the id protects
tell ca help gives a list all of the CA options
You can also deactivate or lock individual certifiers
Add the CA task to the ServerTasks= line of your servers notes.ini so that the CA task will load at server startup.
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier to the Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Add an Internet certifier to the CA Process 1
Domino Admin client
Configuration
Tools
Registration
Internet Certifier
LS11 Windows 7-7.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 2
Select I want to register a new internet certifier that uses the CA process
I have a keyring file I want to register would be used if you had an existing Internet Certifier (R5 Certifier Key Ring) you wanted to migrate into the CA process
Click Ok
LS11 Windows 7-8.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 3
On the Basics tab of the Register New Internet Certifier window. Again lets use Encrypt certifier ID with the Server ID and click Create Certifier Name.
LS11 Windows 7-9.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 4
The Common Name field is required.
Again, no abbreviations in the State or Province field.
You can see the Certifier Name being built as you fill in the various fields.
Click Ok
LS11 Windows 7-10.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 5
Certificates Tab
The Include CRL distribution point extension option, enabled by default, sets an attribute that identifies the location of the Certificate Revocation List (CRL)
By clicking Detail You will see the location for the CRL will be LDAP on the Domino server
Backdate certificate validity is also enabled by default. The time a CA warrants that it will keep information, regarding a certificate, is defined as the certificate validity period.
LS11 Windows 7-12.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 5
Certificates Tab continued
By default a certifier is permitted to issue certificates for all Key Usage options.
The two most common keys are checked as default:
Digital Signature
Used when authenticating data origin integrity.
Data Encipherment
Used when public key is used for encrypting user data.
LS11 Windows 7-11.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 6
Key Usage defines the purpose of the certificate. You select all or restrict to only as few usages as necessary.
Other Standard Key Usages are:
Non-repudiation used to insure that the sender of a message can not deny having sent it or the receiver not deny having received it.
Key encipherment used for data encryption protocol in SSL and S/MIME
Key agreement used when sender and receiver need to derive or agree on a key without using encryption, once agreed, this key is then used to encrypt data
Certificate signing used for verifying a signature on public key certificates
CRL signing used for verifying a signature on Certificate Revocation List
Encipher only must be used in conjunction with Key Agreement the subject public key may only be used for encrypting data
Decipher only must be used in conjunction with Key Agreement the subject public key may only be used for decrypting data
Extend keys further refine or restrict the standard key usages.
2011 IBM Corporation
Add an Internet certifier to the CA Process 7
Key Usage defines the purpose of the certificate. You select all or restrict to only a few usages for as necessary.
Examples of Applications and Required Key Usage:
SSL Client, S/MIME Signing or Object Signing require Digital Signature.
SSL Server and S/MIME Encryption require Key Encipherment.
Certificate Signing requires Certificate Signing.
Choose the options that match your certificates purpose.
2011 IBM Corporation
Add an Internet certifier to the CA Process 8
Since we are going to be using S/MIME add Key Encipherment to the Default selection.
LS11 Windows 7-13.jpg
2011 IBM Corporation
Add an Internet certifier to the CA Process 9
On the Misc. tab
Click Create a local copy of the certifier ID.
Set ID File path and name.
Enter the password.
Click OK the ID file prompt and again on the Creating certifier dialog box.
In order to have the CA process pick up the new certifier enter tell ca refresh on the Domino Admin Server Console.
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Create Certificate Requests database 1
From the Notes Client choose File Application - New
LS11 Windows 7-18.jpg
2011 IBM Corporation
Create Certificate Requests database 2
Select Server
File Name
Database Title
Choose Template server
Show advanced templates
Select Certificate Requests (8) certreq.ntf
Click OK
2011 IBM Corporation
Create Certificate Requests database 3
When the database has been created the About.. document will appear.
Review the instructions for using the Certificate Request Database.
2011 IBM Corporation
Create Certificate Requests database 4
Select the Server and Certifier from the drop down list.
We are going to use this Certificate Request database for both Client and Server Certificates.
Set the Validity Period as deisred for Client Requests.
The default Key and Extended Key Usages are adequate for our purposes .
LS11 Windows 7-20.jpg
2011 IBM Corporation
Create Certificate Requests database 5
Select any other Key Usage keywords to suit your installation.
These are the Extended Key Usage options.
LS11 Windows 7-21.jpgLS11 Windows 7-22.jpg
2011 IBM Corporation
Create Certificate Requests database 6
Server Request Customization
Set the Validity Period as appropriate.
Again the default Key and Extended Key Usages can be set as desired.
If you choose Automatic as the processing method, another field Automatic Transfer Server will appear for you to specify the server running AdminP and to which requests are to be transferred.
Mail completed confirmation request to the requestor Yes or No.
Click Save & Close.
LS11 Windows 7-24.jpg
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 1
Open the Certificate Requests database we just created.
In the Domino Key Ring Management folder.
Select Create Key Ring.
LS11 Windows 7-25.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 2
Complete the Create Key Ring form as we have in the previous examples
Click OK on the Key Ring Created prompt when it appears
LS11 Windows 7-26.jpgLS11 Windows 7-27.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 3
The Trusted Root certificate for the Domino Internet CA will automatically be installed into the new KeyRing.kyr file.
Note the CA Certificate information we entered when we created the Internet Certifier appears as the Certificate Issuer in the Merge Trusted Root Certificate Confirmation dialog box.
Verify the information and Click OK.
LS11 Windows 7-29.jpgLS11 Windows 7-30.jpg
Click OK on the Certificate received into key ring and designated as trusted root prompt.
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 4
When the Certificate Request Successfully Created for Key Ring prompt appears, click OK.
LS11 Windows 7-31.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 5
A CSR will automatically be created.
Since we selected Manual as the processing method in our Certificate Request database we must submit the request to AdminP for processing.
Open the Pending/Submitted Request view in the Certificate Request database.
Select the request.
Click Submit Selected Requests.
LS11 Windows 7-33.jpg
Click OK on the Successfully submitted prompt
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 6
An authorized Registration Authority (RA) must open the Administration Request database and approve the request.
Certificate Request view.
Open the new request.
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 7
Verify the information.
Edit the request.
Click Approve Request.
LS11 Windows 7-35.jpgLS11 Windows 7-36.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 8
Open the Certificate Requests database
Pending/Submitted Request view.
Select the document.
Click Pull Selected Requests.
LS11 Windows 7-39.jpgClick OK on the Successfully pulled prompt.
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 9
Open your mail file and locate the Your certificate request has been approved message.
Copy the pickup ID to your clipboard.
LS11 Windows 7-41.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 10
Alternatively, you can open the Certificate Request Database.
Go to the Issued/Rejected Certificates view.
Open the Certificate Issued document.
Copy the Pickup ID from the Request ID field.
*Not necessary if you copied it from the email message.
LS11 Windows 7-42.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 11
Open the Certificate Request database.
Click Pickup Key Ring Certificate.
LS11 Windows 7-43.jpg
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 12
Input the path and name of your KeyRing.kyr file.
Input the password for the KeyRing.kyr file.
Paste the Pickup ID into the last field.
Click Pickup Certificate.
LS11 Windows 7-45.jpgVerify the information on the Merge Signed Certificate Confirmation prompt.
Click OK.
2011 IBM Corporation
Create KeyRing.kyr for server-based CA 13
Click OK on the Certificate received into key ring prompt.
Copy or FTP the KeyRing.kyr and KeyRing.sth file to the Domino\Data directory on your server.
LS11 Windows 7-46.jpg
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Setup SSL on the Domino Server
The procedures are the same as listed for the single server or the Internet Sites document from previous examples.
We are going to Edit the Internet Site document we used last and replace the WildKeyRing.kyr with the DomCAKR.kyr we just created for Domino Certificate Authority.
Then issue the restart task http from the Domino Admin Client Server Console.
LS11 Windows 7-47.jpg
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 1
Oops When we browse back to our server, we get the dreaded There is a problem with this websites security certificate error
This is because ?????
LS11 Windows 7-148.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 2
The Certificate Authority that we created is not a Trusted Authority in the browser.
You can open standard HTTP:// access and send end users a URL link to the Domino CA Certificate Request database. This database has a built in function to accept the Domino Certificate Authority as a Trusted Root in their browser as we are about to see.
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 3
Browse to the Domino CA Certificate Request database, http://hotchilies.spicyssl.com/certreq.nsf
Select Accept This Authority In Your Browser
Windows XP Albemarle-4.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 4
If the browser displays a warning bar at the top of the window, click on it and then click Run Add-on.
Click Run on the Security Warning.
You will be returned to the Domino CA Certificate Requests database.
Click Accept This Authority In Your Browser again.
Windows XP Albemarle-1.jpgWindows XP Albemarle-2.jpgWindows XP Albemarle-3.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 5
Click Install Certificate
Windows XP Albemarle-5.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 6
Click Yes on the Potential Security Violation prompt.
Click Yes on the Security Warning.
Windows XP Albemarle-6.jpgWindows XP Albemarle-7.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 7
Verify that the Domino CA Certificate was installed as a Trusted Root in your browser.
Open browser
Click Tools
Internet Options
Windows XP Albemarle-9.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 8
On the Content tab
Select Certificates
Windows XP Albemarle-10.jpg
2011 IBM Corporation
Install the Domino Internet Certifier Trusted Root Certificate into your browser 9
Go to the Trusted Root Certification Authorities tab.
Scroll through the list and you should find your Domino CA Certificate.
* An alternate method of installing the Domino CA Trusted Root certificate is provides as Appendix 1 at the end of the presentation
Windows XP Albemarle-11.jpg
2011 IBM Corporation
Setting up Domino Certificate Authority
Migrate a Notes Certifier to the CA Process
Managing the CA process
Add an Internet Certifier to the CA process
Create a Certificate Request database for the Internet Certifier
Create a KeyRing.kyr file
Set up SSL on the Domino server
Install the Domino Internet Certifier Trusted Root certificate into your browser
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier into Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 1
Now that we have Domino Certificate Authority setup with an Internet Certificate, we can create Internet Certificates for our Notes Clients.
The CAs Trusted Root Certificate must be in either the Domino Directory or the clients contact database (personal address book), however its much simpler for your Notes clients if its in the Domino Directory.
As the Administrator for your domain, you must decide:
Issue Internet Certificates via the Domino Admin Client? If your primary goal is S/MIME encrypted email, you can issue Internet Certificates Request for your Notes clients from the Domino Admin client. The CA will process the request, add them to the Person Document and automatically import them in Notes ID files.
Or do you want to require Client Certificates in the end users browser for additional access control to your Domino servers? This option requires an end user to submit a request and pickup the signed certificate from the Domino Certificate Request database and then install the certificate into their browser?
Or a combination of the two?
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 2
Administrator adds internet certificates to the Domino Directory:
The easiest method to accomplish issuing X.509 certificates for email encryption is for the Domino Administrator to request certificates via the Domino Administrator client.
The CA adds the Internet Certificate to the users Person Doc in the Domino Directory.
When the user authenticates with their home mail server, the Internet Certificate is automatically merged into the Notes ID file.
Client Requests Cross Certificate:
If you want to use browser internet certificates for authentication and SSL encryption:
Browse to and request a certificate from the Certificate Request Database.
An RA approves the request, the CA processes the request, and Domino submits an AdminP request to add the Internet Certificate to the person document in the Domino Directory. The CA emails the end user a pickup ID and then the end user installs the certificate into their browser.
The client merges the Certificate into their Notes ID file.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 3
Administrator Issues Internet Certificate to the Person Document
Be sure the Domino CA process is setup and running
Open the Domino Admin Client
People & Groups Tab
People
Select names to receive Internet Certificates
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 4
From the Menu Bar
Click Actions
Choose Add Internet Cert to Selected People.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 5
Choose a Certifier prompt box
Select your registration server.
Select Use the CA Process.
Select your Internet Certificate as the CA configured certifier.
Click OK.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 6
Review the Information in the Add Internet Certificate to Selected Entries box and click Certify.
Click OK on the Processing Statistics prompt.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 7
A Certificate Request is added to the AdminP database for each person selected.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 8
When the CA processes the Certificate Request, it then creates a Store Certificate in Domino or LDAP Directory request in the AdminP database.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 9
After a replication cycle completes to the users mail server, and the user accesses their mail file, Lotus Notes sees that there is an Internet Certificate available in their Person Document and automatically downloads it to their Notes ID file.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 10
To View the Internet Certificate Information in your Notes ID.
File
Security
User Security
Enter Your Password and click Log In.
LS11 Windows 7-1.jpg
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 11
Expand Your Identity Select Your Certificates Choose Your Internet Certificates to view your Internet Certificate information.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 12
Now the you have an Internet Certificate, how do you go about exchanging Secure Email with someone else?
You have to Cross Certify and swap public keys with the other person.
You do this by sending each other a Signed email. The signature contains your public key information.
Each must store the others public key in their Contact database (Personal Address Book) by Adding Sender to Address Book.
Then you can send and receive S/MIME encrypted emails.
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 13
Create and Sign an email to your associate.
After creating the message select:
Delivery Options
Sign
OK
Send
John.doe@xyzcom
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 14
When your associate opens the email, they will be prompted to Cross Certify with the certificate contained in your signature.
Notice that it is your ID that is doing the cross certification.
And the server to contain the certificate will be the Local names.nsf.
Click Cross certify.
Windows 7 x64.jpgJohn Doe/XYZ
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 15
Your associate will need to add or update the information in their Contact database by:
Clicking on More
Add Sender to Contacts
If they are already in your Contacts, you will be prompted to replace the contact record that is there.
Be sure Include X.509 certificates when encountered is checked.
Click OK
Windows 7 x64-1.jpgWindows 7 x64-2.jpg
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 16
You will receive a Contacts successfully updated prompt. Click OK
Your associate must send you a signed message so that you can cross certify with their Internet Certificate.Once you have both Cross Certified and have stored each others public key in your Contacts databases, you can send and receive S/MIME encrypted email to each other.
Windows 7 x64-3.jpg
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 17
When you receive an encrypted email, your Notes client will automatically decrypt the message when opened.
The status bar at the bottom of your Notes client will display Decrypting document.
Windows 7 x64-4.jpgJohn Doe/XYZ
John Doe/XYZ
2011 IBM Corporation
S/MIME and X.509 Certificates for secure email 18
Little Bug.
Server Configuration Document
MIME
Advanced
Advanced Outbound Message
RFC822 Phrase Handling
If this is set to Use CN as phrase for friendly email reply addresses, and you are sending your public key to a Notes client at another company, they will have issues adding your public key to their Contact database.
Windows 7 x64-5.jpg
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier into Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
Agenda
It's a matter of Trust & Security
Or why Certificates and SSL are necessary
Definitions
Using 3rd Party Certificate Authorities
Single Host
Multi Host with Wildcard SSL Certificate
Domino's Certificate Authority (CA) process
Migrating a Notes Certifier into Domino CA
Adding a Internet Certifier to the Domino CA
Secure Email with S/MIME and X.509 Certificates
Q & A
Don't forget your evaluations
2011 IBM Corporation
2011 IBM Corporation
Links for more information
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://www.redbooks.ibm.com/abstracts/redp0046.html?Open
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (page 66)
Frequently Asked Questions: Using SSL with Notes and Domino
http://www-01.ibm.com/support/docview.wss?uid=swg21218820
Appendices
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate Alternate Method
Appendix 2
Requesting, Processing & Installing a Client Certificate from a Domino CA Single Host
Appendix 3
Export a X.509 Certificate from your browser and Import into your Notes ID
2011 IBM Corporation
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 1
Click Continue to the website (not recommended).
Then click on the Certificate Error in the browser bar
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 2
The Untrusted Certificate explanation will appear.
Click View certificates.
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 3
Go to the Certification Path tab
Notice at the bottom of the prompt box:
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
Double click on the Certificate Authority name NOT the server name
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 4
Click Install Certificate.
The Certificate Import Wizard will launch.
Click Next.
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 5
Select Place all certificates in the following store.
Click Browse.
Select Trusted Root Certification Authorities.
Click OK.
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 6
Click Next.
Then click Finish.
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 7
Click Yes on the Security Warning prompt.
Click OK on The import was successful prompt.
2011 IBM Corporation
Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate
method 8
Close and re-launch your browser. When you browse to your server this time you should no longer receive a security warning. You should see the Lock Icon and be prompted for your user name and password.
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 1
Whether you are requesting a Client Certificate from a 3rd Party CA or a Domino CA, the procedures are basically the same.
Browse to the CAs website.
Request a Client Certificate.
The CA will process the Certificate Request.
The CA will notify you via email that the certificate is ready for pickup.
Browse to the CAs Pickup site.
Paste in the Pickup ID.
Install the trusted root and signed certificate into your browser.
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 2
Browse to your Domino CAs Certificate Request database
Select Request Client Certificate
LS11 Windows 7-207.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 3
Complete the Client Request Form.
Remember No abbreviations in State/Province field.
Domino defaults to a High Grade Key for client certificates.
Submit Certificate Request.
Certificate Request Has Been Submitted will display on success.
LS11 Windows 7-205.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 4
The next 3 Procedures are performed by the Registration Authority (RA)
Open Certificate Request database
Pending/Submitted Request view
Select appropriate document(s)
Click Submit Selected Requests
LS11 Windows 7-208.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 5
Admin Request database
Certificate Request view
Open New Request document
LS11 Windows 7-211.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 6
Click Edit Request
Click Approve Request"
LS11 Windows 7-213.jpgSHOW104.ppt.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 7
Return to Certificate Request database
Pending/Submitted view
Click Pull Selected Requests
LS11 Windows 7-214.jpgClick OK
LS11 Windows 7-216.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 8
The client receives an email with the pickup ID.
Copy the pickup ID to your clipboard.
LS11 Windows 7-219.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 9
Browse back to the Certifciate Request application
Click Pick Up Client Certificate
LS11 Windows 7-221.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 10
Paste the Pickup ID into the Pickup ID field
Click Pick Up Client Certificate
Click Install Certificate
LS11 Windows 7-222.jpgLS11 Windows 7-223.jpg
2011 IBM Corporation
Appendix 2
Requesting, Processing & Installing a Client Certificate from a
Domino CA 11
Click OK
LS11 Windows 7-225.jpg
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 1
Once a certificate has been installed into your browser, you can Export the certificate and then Import it into your Notes ID file to be used for S/MIME Secure Email.
I will be exporting and importing a VeriSign Personal Certificate in this example.
Open your browser and select
Tools
Internet Options
LS11 Windows 7.jpg
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 2
On the Content tab
Click Certificates
Windows 7 x64-153.jpg
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 3
On the Personal tab
Select the certificate
Click Export
Windows 7 x64-154.jpgJohn Doe
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 4
The Certificate Export Wizard will launch.
Windows 7 x64-155.jpgWindows 7 x64-156.jpgSelect Yes to export the private key
Click Next
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 5
Select Personal Information Exchange PKCS #12(.PFX) as the format.
Be sure to select Include all certificates in the certification path if possible
Click Next
Windows 7 x64-173.jpgWindows 7 x64-171.jpgNOTE: If you fail to select Include all certificates in the certification path if possible, you will get the error to the right when you try to import your certificate into your Notes ID.
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 6
Input and confirm a password to protect your private key.
Click Next
Windows 7 x64-158.jpgWindows 7 x64-159.jpgSelect the folder
Input a file name
Click Save
Johncert
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 7
Click Next
Windows 7 x64-160.jpgWindows 7 x64-161.jpgReview the information
Click Finish
\JohnCert.pfx
\JohnCert.pfx
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 8
Click OK on the Exporting your private exchange key prompt.
Windows 7 x64-162-1.jpgWindows 7 x64-163.jpgClick OK on the Export successful prompt.
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 9
Open you Notes Client
File
Security
User Security
Input your password
Windows 7 x64-164-1.jpgWindows 7 x64-165.jpgJohn Doe
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 10
Expand Your Identity
Your Certificates
Your Internet Certificates
Get Certificates
Windows 7 [email protected]
Internet Cert
Internet Cert
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 11
Select Import Internet Certificates
Windows 7 x64-167.jpgWindows 7 x64-168.jpgBrowse to the .pfx file you just exported.
Click Open
\JohnCert.pfx
\JohnCert.pfx
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 12
Select PKCS 12 encoded
Click Continue
Windows 7 x64-169-1.jpgWindows 7 x64-170.jpgInput the password used when you exported the key.
Click OK
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 13
Review the certificates contained in the file and select Accept All.
Windows 7 [email protected]
2011 IBM Corporation
Appendix 3
Export a X.509 Certificate from your browser and Import into your
Notes ID 14
Input your Notes password
Click Log In
Windows 7 x64-176.jpgWindows 7 x64-177.jpgClick OK
John Doe/SpicySSL
2011 IBM Corporation
2011 IBM Corporation
2011 IBM Corporation