Domino SSL Implementation and Renewal: A Survivor's Guide
- Justin Hill
- Sep 21, 2023
- 5 min read
Updated: 1 day ago
With the industry standard limiting SSL/TLS certificates to a one year expiration date, a streamlined approach is needed now more than ever to keep your sites secure. At Collabsphere 2023, our very own Avery Shaffer did a great presentation on SSL implementation and renewal so let’s explore the key point of it.
Why is SSL a pain now?
Higher security with frequently changing certificates
Newly released security features are updated faster (i.e SHA1 to SHA2)
Exposed or compromised key chains removed quicker
The “correct” theory that if we keep changing the certificates, the site can’t be hacked
Who?
In 2015 the CA/Browser Forum voted to reduce certificate validity from 5 years to 3 years.
In 2019 they voted again to reduce certificate validity to 1 year but the vote failed.
Apple decided independently to only allow 1 year SSL validation for Safari browsers, everyone following suite.
Future Change
Google is pushing for maximum 90 day SSL key expiration by the end of 2024
While this 3 year validity already is a nightmare for admins, a reduction to 90 days will only make things worse.
One of the things that you do need to pay attention to when working with SSL keys is that uniformity is important as the entry is in several critical places: Internet Site Documents, Internet Ports, SMTP, LDAP, IMAP etc.
We would not recommend changing the name since there are several places where you will need to change that name and it will create extra hustle for you.
Also, if you miss only one, the whole thing will break, meaning even more work for you with restarting the server.
SSL Purchase and Renewal
There are two ways to acquire an SSL for Domino: you can either use Domino’s built-in Let’s Encrypt or you can purchase an SSL from a third-party provider. Each of those has its own pluses and minuses.
Let’s Encrypt
Paid Certificate
Purchased SSLs
Where to buy SSL keys:
DNS Registrar
Can install keys for you if site is hosted by them
Generates the .csr and .key for you. The .key is very important since that is the thing you will need to generate all your certificates. So, if you request it they will put it on your website and you can take it and put it on your Domino server. So, make sure you get that .key because it’s important.
SSL Specialty Sites
Can purchase multi-year for cheaper (SSL still expires in one year). A note here, it will still expire after one year; you will need to click the Approval button again.
Can pay extra for installation assistance
Managed Hosting Providers
Handles the whole process for extra cost
Receive certificates in all formats needed
Can Install on Domino environment for you
Generating your .csr and .key
Server Certificate Administration
We would not recommend you use this for the following reasons:
Does not support key size above 2048
Keyfile.key buried in Domino server
Template not available on modern Domino installations
OpenSSL
Continuously updated
Supports key size 4096
Can generate .kyr as well as convert certs to .pfx .p12 ect
Knowledgebase article:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0073175
Consistent Validation
Here is a pro tip from us in order to make your life easier: set up a mail-in database with just the basics because every paid version of SSL will ask you for an email adress. That way you don’t have to worry about people leaving, changing their emails etc. You don’t get a choice in who you put input it pulls from the Whois document so it pulls it from the technical contact for example. So in order to avoid any trouble just use a generic one mailing database to get your mail validation.
Stop the headache of single user validation
People leave, emails change
Streamline validation with a generic email and mail-in database
Installation Of Purchased Key Domino 9-11
Notes 9.0.1.3 to 11 can utilize the keyring/kyrtool https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0073172
Command line tool to view, create and import certificates to .kyr format
Kyrtool installs with Notes 11 out of the box
Notes/Domino 12 switch to Certificate Manager!
Certificate Manager
The introduction of Cert Manager meant no more .kyr if you don’t want to.
Certificate Manager can import .pem, .p12 and .pfx formatted keys
Simple as copy/pasting certificates in .pem format on a notepad and upload
Replicated DOMAIN WIDE! Huge deal for when 90 day keys are implemented for wildcard certificates.
Let’s Encrypt!
Automated certificate management for Domino 10 and 11
Two part streamlined installation on OS and Domino
Supports Linux and Windows OS
DSAPI filter entry required on Internet Site document
Requires program document and http restart to update certificate chain
Certificates stored in data directory as .kyr/.sth
Server restart usually clears any renewal errors
Test connection with staging setting before automating
Certificate requests are limited and you will get timed out!
Certificate Manager
Native automated certificate management for Domino 12
One line Administrator command for installation
“load certmgr”
DSAPI filter entry required on Internet Site document
Requires a server task entry to ensure the task runs on startup
Set config ServerTasks=Replica,Router,Update,Amgr,Adminp,Sched,CalConn,RnRMgr,HTTP,LDAP,Certmgr
Replicated DOMAIN WIDE! Huge deal for if 90 day keys are implemented
Note: TLS credentials cannot be exported. The .key is encrypted
Workaround in Domino V12 Certificate Management slides linked at the end
Cipher Security by Domino Version
SSL Labs
It’s a fantastic free tool for testing your site security which you can use for checking:
Certificate Chain
TLS Protocols Enabled
Ciphers
Handshake Simulation
You can find this great tool here: https://www.ssllabs.com/ssltest
Here are the results of a scan performed by us. You can see that things can be improved.
Once we selected them all, this is what came out on Domino 12.0.1; it depreciated all the old ciphers except for 4.
Also good to know is that Domino 12.0.2 deprecated most weak/outdated ciphers and
Domino 12 disables TLS 1.0 by default.
If you have made all changes but are still receiving an A in SSL Labs, HSTS is the answer! It was added on version 9.0.1 FP3 IF2.
This protocol is used to prevent man-in-the-middle attacks, downgrade attacks and cookie hijacking but it’s implementation comes with an error preventing that coveted A+
To resolve, add HTTP_HSTS_MAX_AGE=63072000 and HTTP_HSTS_INCLUDE_SUBDOMAINS=1 (for extra security) to the notes.ini.
Check out Darren’s blog for more info:
One other note is that TLS 1.3 is currently not supported by any version of Domino.
HCL has stated it is on the roadmap,but we have no current release date as of now.
Bonus Tips!
If after you have checked and cleaned up your ciphers you still get this error:
Make sure you check the hidden views because most likely that is where the trouble is.
So, Configuration → Current Server Document to disable Internet Site Documents then save
Ports → Internet Ports → TLS Ciphers
To achieve an A+ in SSL Labs disable all but the top four.
Certmgr – Port 80 Error
Certmgr auto renewal requires port 80 to be open
Settings that redirect traffic to 443 will break this process
Setting Anonymous access to no will also break auto renewal
Utilizing A Purchased SSL Key For Nomad
As of Domino 12.0.1FP1, HCL Nomad can be installed directly on the Domino server instance
During the initial set up, Nomad will look for/install Certmgr and create a nomad.<yourdomain>.com entry
To utilize your own purchased certificate, install Certmgr and set up nomad.<yourdomain>.com prior to installation.
This is not a requirement just a way to skip the extra step of having to modify/recreate the entry
Ciphers Not Updating After HTTP Restart
If no matter what you change your Domino ciphers to does not reflect in SSL Labs,
Check for proxy and passthru servers in the environment that may be handling Encrypting the traffic.
Certificate Manager Renewal Deterred by Redirects
Redirect Rules can interfere with certmgr renewal, throwing a port 80 connection error
Workaround – Temporarily disable Internet Site Documents → restart http → re-run the renewal
Yes, this will break the auto-renew feature while the redirect is in place
For any of your SSL trouble, Prominic is just an email away, so let’s talk and see how we can help you.
Comentarios