With the industry standard limiting SSL/TLS certificates to a one year expiration date, a streamlined approach is needed now more than ever to keep your sites secure. At Collabsphere 2023, our very own Avery Shaffer did a great presentation on SSL implementation and renewal so let’s explore the key point of it.
Why is SSL a pain now?
- Higher security with frequently changing certificates
- Newly released security features are updated faster (i.e SHA1 to SHA2)
- Exposed or compromised key chains removed quicker
- The “correct” theory that if we keep changing the certificates, the site can’t be hacked
- In 2015 the CA/Browser Forum voted to reduce certificate validity from 5 years to 3 years.
- In 2019 they voted again to reduce certificate validity to 1 year but the vote failed.
- Apple decided independently to only allow 1 year SSL validation for Safari browsers, everyone following suite.
- Google is pushing for maximum 90 day SSL key expiration by the end of 2024
While this 3 year validity already is a nightmare for admins, a reduction to 90 days will only make things worse.
One of the things that you do need to pay attention to when working with SSL keys is that uniformity is important as the entry is in several critical places: Internet Site Documents, Internet Ports, SMTP, LDAP, IMAP etc.
We would not recommend changing the name since there are several places where you will need to change that name and it will create extra hustle for you.
Also, if you miss only one, the whole thing will break, meaning even more work for you with restarting the server.
SSL Purchase and Renewal
There are two ways to acquire an SSL for Domino: you can either use Domino’s built-in Let’s Encrypt or you can purchase an SSL from a third-party provider. Each of those has its own pluses and minuses.
Where to buy SSL keys:
- Can install keys for you if site is hosted by them
- Generates the .csr and .key for you. The .key is very important since that is the thing you will need to generate all your certificates. So, if you request it they will put it on your website and you can take it and put it on your Domino server. So, make sure you get that .key because it’s important.
SSL Specialty Sites
- Can purchase multi-year for cheaper (SSL still expires in one year). A note here, it will still expire after one year; you will need to click the Approval button again.
- Can pay extra for installation assistance
Managed Hosting Providers
- Handles the whole process for extra cost
- Receive certificates in all formats needed
- Can Install on Domino environment for you
Generating your .csr and .key
Server Certificate Administration
We would not recommend you use this for the following reasons:
- Does not support key size above 2048
- Keyfile.key buried in Domino server
- Template not available on modern Domino installations
- Continuously updated
- Supports key size 4096
- Can generate .kyr as well as convert certs to .pfx .p12 ect
- Knowledgebase article:
Here is a pro tip from us in order to make your life easier: set up a mail-in database with just the basics because every paid version of SSL will ask you for an email adress. That way you don’t have to worry about people leaving, changing their emails etc. You don’t get a choice in who you put input it pulls from the Whois document so it pulls it from the technical contact for example. So in order to avoid any trouble just use a generic one mailing database to get your mail validation.
- Stop the headache of single user validation
- People leave, emails change
- Streamline validation with a generic email and mail-in database
Installation Of Purchased Key Domino 9-11
- Notes 22.214.171.124 to 11 can utilize the keyring/kyrtool https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0073172
- Command line tool to view, create and import certificates to .kyr format
- Kyrtool installs with Notes 11 out of the box
- Notes/Domino 12 switch to Certificate Manager!
The introduction of Cert Manager meant no more .kyr if you don’t want to.
- Certificate Manager can import .pem, .p12 and .pfx formatted keys
- Simple as copy/pasting certificates in .pem format on a notepad and upload
- Replicated DOMAIN WIDE! Huge deal for when 90 day keys are implemented for wildcard certificates.
- Automated certificate management for Domino 10 and 11
- Two part streamlined installation on OS and Domino
- Supports Linux and Windows OS
- DSAPI filter entry required on Internet Site document
- Requires program document and http restart to update certificate chain
- Certificates stored in data directory as .kyr/.sth
- Server restart usually clears any renewal errors
- Test connection with staging setting before automating
- Certificate requests are limited and you will get timed out!
- Native automated certificate management for Domino 12
- One line Administrator command for installation
- “load certmgr”
- DSAPI filter entry required on Internet Site document
- Requires a server task entry to ensure the task runs on startup
- Set config ServerTasks=Replica,Router,Update,Amgr,Adminp,Sched,CalConn,RnRMgr,HTTP,LDAP,Certmgr
- Replicated DOMAIN WIDE! Huge deal for if 90 day keys are implemented
- Note: TLS credentials cannot be exported. The .key is encrypted
- Workaround in Domino V12 Certificate Management slides linked at the end
Cipher Security by Domino Version
It’s a fantastic free tool for testing your site security which you can use for checking:
- Certificate Chain
- TLS Protocols Enabled
- Handshake Simulation
You can find this great tool here: https://www.ssllabs.com/ssltest
Here are the results of a scan performed by us. You can see that things can be improved.
Once we selected them all, this is what came out on Domino 12.0.1; it depreciated all the old ciphers except for 4.
Also good to know is that Domino 12.0.2 deprecated most weak/outdated ciphers and
Domino 12 disables TLS 1.0 by default.
If you have made all changes but are still receiving an A in SSL Labs, HSTS is the answer! It was added on version 9.0.1 FP3 IF2.
This protocol is used to prevent man-in-the-middle attacks, downgrade attacks and cookie hijacking but it’s implementation comes with an error preventing that coveted A+
To resolve, add HTTP_HSTS_MAX_AGE=63072000 and HTTP_HSTS_INCLUDE_SUBDOMAINS=1 (for extra security) to the notes.ini.
Check out Darren’s blog for more info:
One other note is that TLS 1.3 is currently not supported by any version of Domino.
HCL has stated it is on the roadmap,but we have no current release date as of now.
If after you have checked and cleaned up your ciphers you still get this error:
Make sure you check the hidden views because most likely that is where the trouble is.
So, Configuration → Current Server Document to disable Internet Site Documents then save
Ports → Internet Ports → TLS Ciphers
To achieve an A+ in SSL Labs disable all but the top four.
Certmgr – Port 80 Error
- Certmgr auto renewal requires port 80 to be open
- Settings that redirect traffic to 443 will break this process
- Setting Anonymous access to no will also break auto renewal
Utilizing A Purchased SSL Key For Nomad
- As of Domino 12.0.1FP1, HCL Nomad can be installed directly on the Domino server instance
- During the initial set up, Nomad will look for/install Certmgr and create a nomad.<yourdomain>.com entry
- To utilize your own purchased certificate, install Certmgr and set up nomad.<yourdomain>.com prior to installation.
- This is not a requirement just a way to skip the extra step of having to modify/recreate the entry
Ciphers Not Updating After HTTP Restart
If no matter what you change your Domino ciphers to does not reflect in SSL Labs,
Check for proxy and passthru servers in the environment that may be handling Encrypting the traffic.
Certificate Manager Renewal Deterred by Redirects
- Redirect Rules can interfere with certmgr renewal, throwing a port 80 connection error
- Workaround – Temporarily disable Internet Site Documents → restart http → re-run the renewal
- Yes, this will break the auto-renew feature while the redirect is in place
We recommend you also watch the recording of Avery’s presentation, it’s filled with lots of fun and animal images. 🙂