Support SSL/TLS Java connections with RSA >2048 on IBM Domino

When executing Java code on the Domino server to connect to an SSL/TLS site, you may encounter errors, such as The problem is that the IBM Domino server (at least up to 9.0.1 FP3) ships with default Java policies which prevents SSL/TLS connections using certificates with RSA higher than 2048 bits. The solution is simple: … Read more

Create IBM Domino keyring file with SHA-256 signed certificates

The following article my help you with the creation of SHA-256 keyring files for IBM Domino. Step 1: Verify prerequisites IBM Domino 9.0.1 FP2 IF1 or higher (for SHA-256 support) IBM Domino kyrtool installed (http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc) Access to a Mac OS X or Linux workstation (for OpenSSL command line tool) Step 2: On workstation with Mac … Read more

Add a root certificate to IBM Domino JVM keystore

Sometimes it is necessary to add a root certificate to the Domino JVM (Java Virtual Machine) keystore file. This can easily be done with the already installed tool „IBM Key Management“: Open a command prompt windows with administrator priviledges on the Domino server cd \(Domino-Program-Directory)\jvm\bin ikeyman Click „Key Database File“ and then „Open“. Select the file … Read more

Show used SSL/TLS certificates for a given server

If you need to check which SSL/TLS certificates a given server is using, you may issue the „openssl“ command in Mac OS X. Example: In this example, the openssl command does an SSL connect to port 995 to the host pop1.1und1.de and will output among many other things the certificate (Thawte) used. This information may … Read more

How to import a wildcard SSL certificate (PFX/P12) into IBM Domino

Sometimes, it is quite complicated to import a wildcard SSL certificate into an IBM Domino keyring file. This happened to me with certificates from StartCom. Since the Domino Server Certificate Administration database does not create CSR requests with newer hash algorithms required by some CAs, I was forced to created the key pairs thru the … Read more