lotusphere 2011 show104

SHOW104

2011 IBM Corporation

SHOW104
Crispy Certificates with
Spicy SSL Salsa

Tom Truitt | Sr IT Specialist | WorkFlow Studios


Legal

This slide presentation may contain the following copyrighted, trademarked, and/or restricted terms:

IBM Lotus Domino, IBM Lotus Notes, IBM Lotus Symphony, LotusScript

Microsoft Windows, Internet Explorer, Microsoft Office

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Symantec Corporation, VeriSign, Inc., Thawte, Inc., GeoTrust, GoDaddy.com, Inc.


Legal Disclaimer

IBM Corporation 2011. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMs current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.All references to Spicy SSL refer to a fictitious company and are used for illustration purposes only.


Session Goals

Learn what SSL and X.509 certificates are, and why you use them.

Learn what a Wildcard certificate is and how it potentially saves your organization money and maintenance hassle.

Learn the difference between self-certifying and using a 3rd Party certificate authority and why you'd want to pay for the 3rd Party.

Learn how to send and receive encrypted email for secure communications.

Learn the step-by-step process of setting up all of these certificate types in your Domino environment.


Assumptions

You have installed and have working knowledge of the Lotus Notes Administration Client.

You have Create Database privileges in your Domino environment.

You have at least Editor access to the Domino Directory with NetCreator and UserCreator roles.

Your Notes Client Location Document must be set for server based mail, not local, otherwise you will receive errors when creating or modifying certificates.


Agenda

It's a matter of Trust & Security

Or why Certificates and SSL are necessary

Definitions

Using 3rd Party Certificate Authorities

Single Host

Multi Host with Wildcard SSL Certificate

Domino's Certificate Authority (CA) process

Migrating a Notes Certifier to the Domino CA

Adding a Internet Certifier to the Domino CA

Secure Email with S/MIME and X.509 Certificates

Q & A

Don't forget your evaluations


Who do you trust?

How do you verify that you are connected to a server that is actually at a particular business or site?

Certificates validate identity. Like a company badge to get into your office or a driver's license or passport to get through security at the airport.

Who would eavesdrop on the Internet Party Line?

Standard Internet communications, i.e. HTTP, SMTP are simple text transmission protocols.

If someone intercepts traffic, there is nothing to prevent reading all the content of that communication.

With encryption, one end of the communication encrypts the traffic, and the other end decrypts it.

Certificates provide the keys in the encryption process.


Agenda



Definitions


Single Host






Q & A



Definitions to keep in mind

Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

Public Key Infrastructure (PKI)

Certificate Authority (CA)

Certificate Signing Request (CSR)

X.509 Digital Certificate or Public Key Certificate (PKC)


Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

SSL & TLS are cryptographic* protocols that provide encrypted communications securely over the Internet.

SSL, originally developed by Netscape, is widely used to do two things:

Validate the identity of a Web site

Encrypt the connection for sending personal data over the internet

TLS security protocol defined by the Internet Engineering Task Force (IETF) is based on SSL 3.0. TLS uses digital certificates to authenticate the user as well as authenticate the network.

The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange.

Look for the Lock icon in you browser. If the lock is closed you are on a secure SSL or TLS connection.

*Cryptography is the process of converting data into a secret code for transmission. In other words Plain Text is converted into a secret code via an encryption algorithm.



Typical SSL Handshake Negotation Process

The two sides acknowledge each other and the browser sends a list of algorithms it supports and a random number to the web server.

The server returns Use this algorithm it's random number and digital certificate.

The browser verifies that it trust's the server's certificate and extracts the server's public key. It then uses that public key to encrypt a pre-master key and sends it to the server.

Both client and server use the pre-master key and exchanged random numbers to generate the secret keys for the rest of the session and exchange checksums.


Public Key Infrastructure (PKI)

A framework for creating a secure method of exchanging electronic information based on public key cryptography.

The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.

PKIs are based on the public/private key pair of the CA's Root Key.

The subject's public key, known to everyone, is used to encrypt data.

The private or secret key is used to decrypt received data.

If the private key of the CA's Root Key is ever compromised, all the digital certificates created by that CA are vulnerable.

The Key Size defines how hard the private key is to decode. The higher the key size the harder it is to break the code.

Common RSA Key Sizes are:

512, 1024 and 2048


Certificate Authorities (CA)s

As stated above, The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.

There are two types of CAs:

Trusted 3rd Party or Commercial CAs which charge to issue certificates. Their Trusted Root certificates are included in most internet browsers.

Think of a passport issued by your country's passport authority.

Self Signed or Closed System where your company is it's own CA. You control the Root Certificate for the organization.

Think of your company issued ID badge that lets you into your office building.


Trusted 3rd Party Certificate Authorities (CA)s

Over 300 Trusted CAs are included in Internet Explorer on Windows XP.

Most browsers already trust these authorities, so end user configuration is not required.

If the certifier is pre-configured as trusted in the email system, external mail client configuration is reduced.

Overall, the cost of supporting a 3rd Party System can be less than that of a Closed System.

Examples of 3rd Party CAs:

VeriSign, recently acquired by Symantec, has long been highly trusted by consumers. VeriSign also owns GeoTrust and Thawte; combined they make up the largest CA group*.

Go Daddy has grown rapidly over the last few years due to their aggressive pricing model and holds the number two position per netcraft.com

Many other Trusted 3rd Party CAs are listed at the site below

* https://ssl.netcraft.com/ssl-sample-report//CMatch/certs


Self Signed or Closed System (CA)s

You or your organization control all certificates including the Root Certificate.

You control who you issue certificates to.

Think of Photos on ID badges.

You manage the certificate structure, naming, validation and expiration.

The major problem with a Closed CA, is it requires equipment and personnel to manage the process and configure end user workstations.

Think of your Security Department that take photos and issue Corporate Security badges.


Certificate Signing Request (CSR)

A CSR is an application submitted to a CA for a computer or individual to obtain a digital certificate.

The request includes information identifying the applicant and the public key that is generated from a public/private key pair.


X.509 Digital Certificate

AKA Digital ID or Public Key Certificate (PKC)

X.509 is an International Telecommunications Union Transmission (ITU-T) standard for public key infrastructure (PKI). It specifies standard formats for public key certificates, certificate validation and certificate revocation lists.

Digital Certificates are issued by a CA after the CA has verified that the public key belongs to a specific subject.

A Digital Certificate contains both CA and subject information including the subject's public key. The CA signs the certificate by creating a digest of all the fields in the certificate and then encrypts the digest with it's private key.

The encrypted digest is called a digital signature, and when placed into the X.509 certificate, the certificate is said to be signed.

It's the digital equivalent of your ID card, driver's license or passport.

Agenda



Definitions


Single Host






Q & A




Configuring your Domino server with a 3rd Party SSL Certificate

Choosing your 3rd Party CA

Create a KeyRing file

Creating a Certificate Signing Request (CSR)

Retrieve SSL Certificate from Vendor

Trusted Root and Intermediate Certificates

Install Server SSL Certificate

Setup Domino Server for SSL


Choosing your 3rd Party CA & Certificate

There are literally hundreds of 3rd Party CAs.

Things to consider when selecting you 3rd Party CA are:

What type of transactions will this server be handling?

Online commerce sites should have the strongest level of encryption and assurance that you can afford.

In-house, training and utility servers might be able to use a less costly certificate.

Issuance Speed

SSL Certificate Warranty

Website Security Seals

Customer Support

It's really up to you to determine the best vendor for your needs. The SSL Certificate (assuming the same Key Strength) will technically work the same whether it is created by a Self Signed CA or a premium certificate from a well known CA. The difference is really perception and marketing.











Creating a KeyRing.kyr file 1

Create a New Folder off the root of your C:\ drive with a short folder name. My suggestion is C:\SSL (You will be typing this path several times in the near future)



From your Notes Client,

Select File

Open

Lotus Notes Application

LS11 Windows 7.jpgLook in Your Server

Select Server Certificate Admin (certsrv.nsf)

Click Open Certificate Admin 3. Click Open

LS11 Windows 7-1.jpg



When the application opens, select 1. Create Key Ring



Type the full path and file name it must end with .kyr

Input and confirm the password.

Click on the Key Size drop down.



Key Size 5

The larger the key size, the greater the encryption strength and therefore the less likely a brute force attack will be able to decipher the key.

Given the advances in computing power, some believe that it will be possible to break a 1024-bit key in the near future.

Some 3rd Party CAs will not accept a CSR with less than 2048 key size any longer, and others are currently in the process of phasing out their lower sized certificates.

Keep in mind this could cause issues when you try to renew existing certificates of lower key strength, in which case you will be required to create a new Key Ring file and CSR for your servers.

The National Institute of Standards and Technology (NIST) of the US Government recommends certificates after 2010 should be of at least 2048 bit key length.

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

Beware - some older browsers can not support the new 2048 bit keys.



Select 2048 as the Key Size



Complete the required and optional fields.

Common Name (DNS Server Name)

Organization and Optional fields

NO ABBREVIATIONS in State or Province field,

2 character country code

Click Create Key Ring

LS11 Windows 7-4.jpgXYZ Company



The KeyRing file name can be anything you want but it must end with .kyr extension.

Write down the password of the KeyRing.kyr file, put it in a sealed envelope and store it in a safe place. You are going to need the password again when it comes time to renew the certificate.

If you are getting a single server certificate the Common Name is the URL name to which the server responds. A simple 1 character mistake will cause an invalid name prompt when the certificate is presented to the browser.

The Organization (and optional Organization Unit) fields must be completed as accurately as possible with the legal name of the company.

Use the City and State of the Organizations address and NO ABBREVIATIONS in the State or Province name.

Enter the standard 2 Character Country code for your country.

This information will be verified by your CA, is included in the Digital Certificate and will be presented to every browser that contacts your server, so it's important to have it correct when you create your KeyRing.kyr file.



The Key Ring Created prompt will display - Click OK

XYZ Company


Creating a KeyRing.kyr file - end

You need to create an account at your 3rd Party vendor.

You need to purchase an SSL Certificate and know your vendor's procedures for submitting a CSR.











Creating a Certificate Signing Request (CSR) 1

Open the Server Certificate Admin notes database (The same one we used to create the KeyRing.kyr file)



Click 2. Create Certificate Request



Type the path and name of the .kyr file

Select Paste into form on CA's site

Click Create Certificate Request




1. You will be prompted for the KeyRing password - 2. click OK



The Certificate Request will look as depicted below. Copy from the first dash (-)

XYZ Company



To the end of the last dash ()

Ctrl +C to copy into your paste buffer.

XYZ Company



Open Notepad and Paste the CSR into the notepad document, just in case you accidentally copy something else before you complete the 3rd Party CSR.



Click OK on the Certificate Request Created window.

XYZ Company


Creating a Certificate Signing Request (CSR) end

You are now ready to browse to your 3rd Party CA and complete your CSR.

Follow the instructions for requesting a certificate for your 3rd Party CA











You will receive an email from your 3rd Party CA when your SSL Certificate is complete

In most instances you will need to download your SSL Certificate from their site.

[email protected]


Steps for configuring your Domino server with a Third-Party SSL Certificate









There must be a Trusted Root Certificate for your 3rd Party CA in the server's KeyRing.kyr file

The CAs listed on the left are automatically included and therefore trusted in a newly created Domino KeyRing.kyr file.

If your CA is not included in the list, their Trusted Root Certificate will need to be imported.

Note: There is a VeriSign Intermediate CA included. It may or may not be the correct one for your certificate.

Many CAs will now require an Intermediate Certificate as well as their Trusted Root.

Check your 3rd Party CA documentation for Intermediate Certificate requirements.


Trusted Root & Intermediate Certificates 2

Some CAs include their Trusted Root and Intermediate certificates in a bundle or .zip file along with your signed Digital Certificate.

If they are not, include follow the vendor's instructions and download them.

Place them in your C:\SSL subdirectory.



I normally double click to open the .crt files and leave them open on my desktop so I can get the name correct when I install them into the KeyRing.kyr file.



Open the Server Certificate Admin database



Select 3. Install Trusted Root Certificates into Key Ring



Input the path and file name of your KeyRing.kyr file.

Type the Certificate Label that will appear when you choose View & Edit Key Ring (why I keep it open on the desktop).

Select File or Clipboard as Source.

If File, input the path and file name to the retrieved signed certificate.

If Clipboard, paste into provided field.

Base 64 encoding is the most common format unless your vendor specifies otherwise in their documentation.

Click Merge Trusted Root Certificate into Key Ring.

LS11 Windows 7-4-1.jpg



You will be prompted for the Key Ring password then click OK



Click OK on the Merge Trusted Root Certificate Confirmation.



Click OK on the Certificate received into key ring and designated as trusted root prompt.


Trusted Root & Intermediate Certificates end

Intermediate Certificates

If your CA requires an Intermediate Certificate, follow the exact same steps as installing a Trusted Root Certificate.

Of course you would use a different Certificate Label and file name.

If you get a prompt like the one on the left while installing your Signed Server Certificate, it indicates that you are missing an Intermediate Certificate.












Install Server Certificate into Key Ring 1

Open the Server Certificate Admin database and Click 4. Install Certificate into Key Ring



Input the path and file name of your KeyRing.kyr file.

Select File or Clipboard as Certificate Source as appropriate.

Depending on you choice.

If File, input the path and file name to the retrieved signed certificate.

If Clipboard, paste into provided field.

Click Merge Certificate into Key Ring.

LS11 Windows 7.jpg



Input the Key Ring password and click OK



Click OK on the Merge Signed Certificate Confirmation prompt


Install Server Certificate into Key Ring end

Click OK on the Certificate received into key ring prompt











Copy the KeyRing.kyr and KeyRing.sth file to your servers Domino\Data directory 1

When you create a KeyRing.kyr file a .sth file of the same name which contains the password for the associated .kyr file is also created.

Browse to the C:\SSL subdirectory and copy BOTH the .kyr and .sth files.


Copy the KeyRing.kyr and KeyRing.sth file to your servers Domino\Data directory 1

Paste the KeyRing.kyr and KeyRing.sth files into your servers Domino\Data directory.


Setup SSL on the Domino Server 1

From Domino Administrator Client

Configuration tab

Server Current Server Document

Edit Server

Note: Load Internet configuration from Server\Internet Sites documents = Disabled

This example assumes you are NOT using Internet Sites documents.

Using Internet Sites documents will be explained in the Wildcard SSL section.



Go to 1. Ports 2. Internet Ports 3. Input the name of your KeyRing.kyr file



Scroll to the bottom of the page

Port 80 (standard port)

TCP/IP port Status

Redirect to SSL will automatically switch a user to SSL when they browse to the server without typing HTTPS:// at the beginning of the URL

Enforce server access settings

Select Yes to have the server honor Security Access settings on the security tab of the server document

Enable SSL port status

Choose No for the Client certificate option (we havent issued any client certificates)

Save and Close


Restart the HTTP Server Task

Domino Admin Client Server Console

Issue the command

restart task http


Test new SSL Setup 1

Open your internet browser

Enter the URL for your server

Example:

http://hotchilies.spicyssl.com/names.nsf

You will be prompted for your name and password if you did not allow anonymous access.


SSL Setup Complete

Note: Because we selected Redirect to SSL you will be automatically switched to SSL (https://)

The Browser does not display any error prompts.

The Lock Icon displays.

Agenda



Definitions


Single Host






Q & A




Wildcard SSL Certificate 1

Lets suppose we have set up DNS entries for hotchilies.spicyssl.com and for inotes.spicyssl.com both pointing to the same server.

When we browse to hotchilies.spicyssl.com everything is fine.

But when we browse to inotes.spicyssl.com

We get: There is a problem with this websites security certificate.

This is because the certificate was issued to hotchilies not inotes.

LS11 Windows 7-5.jpgLS11 Windows 7-6.jpg



What is a Wildcard SSL Certificate?

Secures multiple first-level sub-domains (Internet Sites or Servers) as long as they end with the same domain name.

Example:

www.spicyssl.com

hotchilies.spicyssl.com

inotes.spicyssl.com

traveler.spicyssl.com

quickr.spicyssl.com

Most browsers won't work with a Wildcard SSL Certificates of more than one level. In other words a Wildcard Certificate for *.spicyssl.com will not work for inotes.mail.spicyssl.com or best.recipe.for.spicyssl.com.



Advantages:

Can result in big savings if you have more than 3 or 4 sites to secure.

Easier to manage especially when it comes time for renewals.

Disadvantages:

If one server is compromised then all the others using that certificate are vulnerable.

Some mobile device operating systems may not recognize the wildcard character (Windows Mobile 5 for example).

3rd Party CAs have offer different options:

Some allow you to create as many new or sub wildcard certificates (with the same domain name) as needed, each with a unique private key, making them just as secure as a single server certificate.

Some 3rd Party vendors limit the number of use instances of a Wildcard SSL certificate.

Read the License agreements of your CA to be sure you comply with their requirements.



The process of setting up a Domino Server to use a Wildcard SSL Certificate is the same as a single server certificate.

Choose your 3rd Party CA

Create a KeyRing file*






*The difference is when you create the KeyRing.kyr file.

Enter *.spicyssl.com or *.yourdomain.com as the Common Name in the Distinguished Name section.

The Domain owner will likely receive an email requesting verification of Wildcard CSR before issuing the certificate.


Creating a Wildcard KeyRing.kyr file 5

Open the Server Certificate Admin database

Create a new KeyRing.kyr file

Give the file a different name

Example:

C:\SSL\WildSpicySSL.kyr

Complete the Create Key Ring document as we did before with ONE exception, the Common Name Field

Use *.spicyssl.com (or *.yourdomain.com)

XYZ Company


Creating a Wildcard KeyRing.kyr file 6

As long as you are sure you have entered a new Key Ring File Name,

Click on OK if you receive a WARNING prompt like the one to the left.

Click OK on the Key Ring Created prompt

XYZ Company



Follow the remaining procedures as we did for setting up SSL on a Single Server





Setup Domino Server for SSL but this time well use Internet Sites documents



Note the SubjectOrg and SubjectCommonName on the Signed Wildcard Certificate is *.spicyssl.com (Step 6 Install Server SSL Certificate above).



Configure Internet Sites with SSL 9

Enable Internet Sites Documents

Edit the Server Document

Basics tab

Enable Load Internet configurations from Server\Internet Sites documents

Save and Close the server Document




Add a Web Internet Site Document

Domino Admin Client

Configuration Tab

Web

Internet Sites

Add Internet Site

Web




Complete the Basic Tab

Descriptive name for this site

Organization

Is this the Default Internet Site?




Define this site Home URL on the Configuration Tab




Security Tab

Redirect TCP to SSL

Require Name & Password for SSL Authentication

Enter the name of your WildKeyRing.kyr in the SSL Options section

Save and Close the document




Copy the WildKeyRing.kyr and WildKeyRing.sth files to the Domino servers data directory.

Open the Admin Client Server Console and enter the command Restart task HTTP.



Now when we browse to inotes.spicyssl.com/redirect.nsf:

We no longer get a SSL Certificate Error.

We are prompted for a user name and password.

LS11 Windows 7-16.jpgLS11 Windows 7-17.jpgWhen we click on the lock icon:

We see the site is identified as:

inotes.spicyssl.com

The connection to the server is encrypted.



By clicking View Certificate we see that the certificate was issued to:

*.spicyssl.com


Agenda



Definitions


Single Host






Q & A




Dominos Certificate Authority (CA) process

The Domino CA process can issue both Notes ID and Internet Certificates and runs as an automated process on your Domino server.

It allows you to off-load the tasks of Notes ID creation and Certificate issuing to others without giving them your certifier ids and passwords.

Internet certificate request are processed more easily.

Maintains Issued Certificate Lists (ICL) and revocation lists.


Setting up Domino Certificate Authority

Migrate a Notes Certifier to the CA Process

Managing the CA process

Add an Internet Certifier to the CA process

Create a Certificate Request database for the Internet Certifier

Create a KeyRing.kyr file

Set up SSL on the Domino server

Install the Domino Internet Certifier Trusted Root certificate into your browser


Migrate Notes Certifier to the CA Process 1

Domino Admin client

Configuration Tab

Tools

Certification

Migrate Certifier



Click Select



Browse to the certifier being migrated and click Select




Click OK



Input certifier password and click OK



The next slides explain the options on this page.



Migrate Certifier Options

Select the server on which the certifier will run.

It is suggested that you leave the default path and name of the ICL database.

How this certifier is protected:

Encrypt Certifier ID with Server ID

This will encrypt the certifier with the servers ID. No additional password or action will be required to use this certifier. You can isolate your CA server and add a password to the server ID for added security.

Require password to activate

More secure but requires that you issue the tell ca activate command after loading the CA task.

Locking ID

High security, if you use this option, I recommend creating a special id. Keep in mind password expiration or Notes certificate expiration will cause issues. This option requires that you issue the tell ca unlock command on the server console.


Migrate Certifier Options

Certificate Authority Administrator (CAA)

A CAA can create and modify certifiers deployed in the Domino CA.

Only a CAA can edit the Password recovery information in a certifier.

The CAA can also add and edit the roles assigned to others.

A CAA must have at least Editor access to the Domino Directory.

Best Practice is to assign at least 2 CAAs to each certifier.

Registration Authority (RA)

Approves or denies Notes or Internet certificate requests.

Can revoke certificates that can no longer be trusted.

Must have at least Author access with Create Document privilege and User Creator role to the Domino Directory.

The main advantage of separating the roles is to off-load these tasks from the Domino or CA administrator.

If you use the Web Administrator client, the Domino server must be listed as an RA.



Add your server as an RA

Click OK




After a few seconds the Success prompt will appear.

Click OK




To start the CA process, open the Domino Admin Client Server Console and issue the load ca command.












Commands used to Manage the CA Process

The most common CA commands are:

load ca loads the CA task on the Domino Server

tell ca refresh causes the CA task to reload the certifiers list (certifiers will need to be unlocked or activated again

tell ca quit stops the CA task

tell ca stat displays summary information about the certifiers including its number

tell ca activate certifier number - activates a specific certifier

tell ca unlock - unlocks all certifiers the id protects

tell ca help gives a list all of the CA options

You can also deactivate or lock individual certifiers

Add the CA task to the ServerTasks= line of your servers notes.ini so that the CA task will load at server startup.

Agenda



Definitions


Single Host






Q & A













Add an Internet certifier to the CA Process 1

Domino Admin client

Configuration

Tools

Registration

Internet Certifier




Select I want to register a new internet certifier that uses the CA process

I have a keyring file I want to register would be used if you had an existing Internet Certifier (R5 Certifier Key Ring) you wanted to migrate into the CA process

Click Ok




On the Basics tab of the Register New Internet Certifier window. Again lets use Encrypt certifier ID with the Server ID and click Create Certifier Name.




The Common Name field is required.

Again, no abbreviations in the State or Province field.

You can see the Certifier Name being built as you fill in the various fields.

Click Ok




Certificates Tab

The Include CRL distribution point extension option, enabled by default, sets an attribute that identifies the location of the Certificate Revocation List (CRL)

By clicking Detail You will see the location for the CRL will be LDAP on the Domino server

Backdate certificate validity is also enabled by default. The time a CA warrants that it will keep information, regarding a certificate, is defined as the certificate validity period.




Certificates Tab continued

By default a certifier is permitted to issue certificates for all Key Usage options.

The two most common keys are checked as default:

Digital Signature

Used when authenticating data origin integrity.

Data Encipherment

Used when public key is used for encrypting user data.




Key Usage defines the purpose of the certificate. You select all or restrict to only as few usages as necessary.

Other Standard Key Usages are:

Non-repudiation used to insure that the sender of a message can not deny having sent it or the receiver not deny having received it.

Key encipherment used for data encryption protocol in SSL and S/MIME

Key agreement used when sender and receiver need to derive or agree on a key without using encryption, once agreed, this key is then used to encrypt data

Certificate signing used for verifying a signature on public key certificates

CRL signing used for verifying a signature on Certificate Revocation List

Encipher only must be used in conjunction with Key Agreement the subject public key may only be used for encrypting data

Decipher only must be used in conjunction with Key Agreement the subject public key may only be used for decrypting data

Extend keys further refine or restrict the standard key usages.



Key Usage defines the purpose of the certificate. You select all or restrict to only a few usages for as necessary.

Examples of Applications and Required Key Usage:

SSL Client, S/MIME Signing or Object Signing require Digital Signature.

SSL Server and S/MIME Encryption require Key Encipherment.

Certificate Signing requires Certificate Signing.

Choose the options that match your certificates purpose.



Since we are going to be using S/MIME add Key Encipherment to the Default selection.




On the Misc. tab

Click Create a local copy of the certifier ID.

Set ID File path and name.

Enter the password.

Click OK the ID file prompt and again on the Creating certifier dialog box.

In order to have the CA process pick up the new certifier enter tell ca refresh on the Domino Admin Server Console.











Create Certificate Requests database 1

From the Notes Client choose File Application - New




Select Server

File Name

Database Title

Choose Template server

Show advanced templates

Select Certificate Requests (8) certreq.ntf

Click OK



When the database has been created the About.. document will appear.

Review the instructions for using the Certificate Request Database.



Select the Server and Certifier from the drop down list.

We are going to use this Certificate Request database for both Client and Server Certificates.

Set the Validity Period as deisred for Client Requests.

The default Key and Extended Key Usages are adequate for our purposes .




Select any other Key Usage keywords to suit your installation.

These are the Extended Key Usage options.




Server Request Customization

Set the Validity Period as appropriate.

Again the default Key and Extended Key Usages can be set as desired.

If you choose Automatic as the processing method, another field Automatic Transfer Server will appear for you to specify the server running AdminP and to which requests are to be transferred.

Mail completed confirmation request to the requestor Yes or No.

Click Save & Close.












Create KeyRing.kyr for server-based CA 1

Open the Certificate Requests database we just created.

In the Domino Key Ring Management folder.

Select Create Key Ring.




Complete the Create Key Ring form as we have in the previous examples

Click OK on the Key Ring Created prompt when it appears




The Trusted Root certificate for the Domino Internet CA will automatically be installed into the new KeyRing.kyr file.

Note the CA Certificate information we entered when we created the Internet Certifier appears as the Certificate Issuer in the Merge Trusted Root Certificate Confirmation dialog box.

Verify the information and Click OK.


Click OK on the Certificate received into key ring and designated as trusted root prompt.



When the Certificate Request Successfully Created for Key Ring prompt appears, click OK.




A CSR will automatically be created.

Since we selected Manual as the processing method in our Certificate Request database we must submit the request to AdminP for processing.

Open the Pending/Submitted Request view in the Certificate Request database.

Select the request.

Click Submit Selected Requests.


Click OK on the Successfully submitted prompt



An authorized Registration Authority (RA) must open the Administration Request database and approve the request.

Certificate Request view.

Open the new request.



Verify the information.

Edit the request.

Click Approve Request.




Open the Certificate Requests database

Pending/Submitted Request view.

Select the document.

Click Pull Selected Requests.

LS11 Windows 7-39.jpgClick OK on the Successfully pulled prompt.



Open your mail file and locate the Your certificate request has been approved message.

Copy the pickup ID to your clipboard.




Alternatively, you can open the Certificate Request Database.

Go to the Issued/Rejected Certificates view.

Open the Certificate Issued document.

Copy the Pickup ID from the Request ID field.

*Not necessary if you copied it from the email message.




Open the Certificate Request database.

Click Pickup Key Ring Certificate.




Input the path and name of your KeyRing.kyr file.

Input the password for the KeyRing.kyr file.

Paste the Pickup ID into the last field.

Click Pickup Certificate.

LS11 Windows 7-45.jpgVerify the information on the Merge Signed Certificate Confirmation prompt.

Click OK.



Click OK on the Certificate received into key ring prompt.

Copy or FTP the KeyRing.kyr and KeyRing.sth file to the Domino\Data directory on your server.












Setup SSL on the Domino Server

The procedures are the same as listed for the single server or the Internet Sites document from previous examples.

We are going to Edit the Internet Site document we used last and replace the WildKeyRing.kyr with the DomCAKR.kyr we just created for Domino Certificate Authority.

Then issue the restart task http from the Domino Admin Client Server Console.












Install the Domino Internet Certifier Trusted Root Certificate into your browser 1

Oops When we browse back to our server, we get the dreaded There is a problem with this websites security certificate error

This is because ?????




The Certificate Authority that we created is not a Trusted Authority in the browser.

You can open standard HTTP:// access and send end users a URL link to the Domino CA Certificate Request database. This database has a built in function to accept the Domino Certificate Authority as a Trusted Root in their browser as we are about to see.



Browse to the Domino CA Certificate Request database, http://hotchilies.spicyssl.com/certreq.nsf

Select Accept This Authority In Your Browser

Windows XP Albemarle-4.jpg



If the browser displays a warning bar at the top of the window, click on it and then click Run Add-on.

Click Run on the Security Warning.

You will be returned to the Domino CA Certificate Requests database.

Click Accept This Authority In Your Browser again.

Windows XP Albemarle-1.jpgWindows XP Albemarle-2.jpgWindows XP Albemarle-3.jpg



Click Install Certificate




Click Yes on the Potential Security Violation prompt.

Click Yes on the Security Warning.

Windows XP Albemarle-6.jpgWindows XP Albemarle-7.jpg



Verify that the Domino CA Certificate was installed as a Trusted Root in your browser.

Open browser

Click Tools

Internet Options




On the Content tab

Select Certificates




Go to the Trusted Root Certification Authorities tab.

Scroll through the list and you should find your Domino CA Certificate.

* An alternate method of installing the Domino CA Trusted Root certificate is provides as Appendix 1 at the end of the presentation











Agenda



Definitions


Single Host



Migrating a Notes Certifier into Domino CA



Q & A




S/MIME and X.509 Certificates for secure email 1

Now that we have Domino Certificate Authority setup with an Internet Certificate, we can create Internet Certificates for our Notes Clients.

The CAs Trusted Root Certificate must be in either the Domino Directory or the clients contact database (personal address book), however its much simpler for your Notes clients if its in the Domino Directory.

As the Administrator for your domain, you must decide:

Issue Internet Certificates via the Domino Admin Client? If your primary goal is S/MIME encrypted email, you can issue Internet Certificates Request for your Notes clients from the Domino Admin client. The CA will process the request, add them to the Person Document and automatically import them in Notes ID files.

Or do you want to require Client Certificates in the end users browser for additional access control to your Domino servers? This option requires an end user to submit a request and pickup the signed certificate from the Domino Certificate Request database and then install the certificate into their browser?

Or a combination of the two?



Administrator adds internet certificates to the Domino Directory:

The easiest method to accomplish issuing X.509 certificates for email encryption is for the Domino Administrator to request certificates via the Domino Administrator client.

The CA adds the Internet Certificate to the users Person Doc in the Domino Directory.

When the user authenticates with their home mail server, the Internet Certificate is automatically merged into the Notes ID file.

Client Requests Cross Certificate:

If you want to use browser internet certificates for authentication and SSL encryption:

Browse to and request a certificate from the Certificate Request Database.

An RA approves the request, the CA processes the request, and Domino submits an AdminP request to add the Internet Certificate to the person document in the Domino Directory. The CA emails the end user a pickup ID and then the end user installs the certificate into their browser.

The client merges the Certificate into their Notes ID file.



Administrator Issues Internet Certificate to the Person Document

Be sure the Domino CA process is setup and running

Open the Domino Admin Client

People & Groups Tab

People

Select names to receive Internet Certificates



From the Menu Bar

Click Actions

Choose Add Internet Cert to Selected People.



Choose a Certifier prompt box

Select your registration server.

Select Use the CA Process.

Select your Internet Certificate as the CA configured certifier.

Click OK.



Review the Information in the Add Internet Certificate to Selected Entries box and click Certify.

Click OK on the Processing Statistics prompt.



A Certificate Request is added to the AdminP database for each person selected.



When the CA processes the Certificate Request, it then creates a Store Certificate in Domino or LDAP Directory request in the AdminP database.



After a replication cycle completes to the users mail server, and the user accesses their mail file, Lotus Notes sees that there is an Internet Certificate available in their Person Document and automatically downloads it to their Notes ID file.



To View the Internet Certificate Information in your Notes ID.

File

Security

User Security

Enter Your Password and click Log In.




Expand Your Identity Select Your Certificates Choose Your Internet Certificates to view your Internet Certificate information.



Now the you have an Internet Certificate, how do you go about exchanging Secure Email with someone else?

You have to Cross Certify and swap public keys with the other person.

You do this by sending each other a Signed email. The signature contains your public key information.

Each must store the others public key in their Contact database (Personal Address Book) by Adding Sender to Address Book.

Then you can send and receive S/MIME encrypted emails.



Create and Sign an email to your associate.

After creating the message select:

Delivery Options

Sign

OK

Send

John.doe@xyzcom



When your associate opens the email, they will be prompted to Cross Certify with the certificate contained in your signature.

Notice that it is your ID that is doing the cross certification.

And the server to contain the certificate will be the Local names.nsf.

Click Cross certify.

Windows 7 x64.jpgJohn Doe/XYZ



Your associate will need to add or update the information in their Contact database by:

Clicking on More

Add Sender to Contacts

If they are already in your Contacts, you will be prompted to replace the contact record that is there.

Be sure Include X.509 certificates when encountered is checked.

Click OK

Windows 7 x64-1.jpgWindows 7 x64-2.jpg



You will receive a Contacts successfully updated prompt. Click OK

Your associate must send you a signed message so that you can cross certify with their Internet Certificate.Once you have both Cross Certified and have stored each others public key in your Contacts databases, you can send and receive S/MIME encrypted email to each other.

Windows 7 x64-3.jpg



When you receive an encrypted email, your Notes client will automatically decrypt the message when opened.

The status bar at the bottom of your Notes client will display Decrypting document.

Windows 7 x64-4.jpgJohn Doe/XYZ

John Doe/XYZ



Little Bug.

Server Configuration Document

MIME

Advanced

Advanced Outbound Message

RFC822 Phrase Handling

If this is set to Use CN as phrase for friendly email reply addresses, and you are sending your public key to a Notes client at another company, they will have issues adding your public key to their Contact database.

Windows 7 x64-5.jpg

Agenda



Definitions


Single Host






Q & A



Agenda



Definitions


Single Host






Q & A




Links for more information

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://www.redbooks.ibm.com/abstracts/redp0046.html?Open

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (page 66)

Frequently Asked Questions: Using SSL with Notes and Domino

http://www-01.ibm.com/support/docview.wss?uid=swg21218820

Appendices

Appendix 1

Install the Domino CA Certifier Trusted Root Certificate Alternate Method

Appendix 2

Requesting, Processing & Installing a Client Certificate from a Domino CA Single Host

Appendix 3

Export a X.509 Certificate from your browser and Import into your Notes ID



Appendix 1
Install the Domino CA Certifier Trusted Root Certificate alternate method 1

Click Continue to the website (not recommended).

Then click on the Certificate Error in the browser bar


Appendix 1

The Untrusted Certificate explanation will appear.

Click View certificates.


Appendix 1

Go to the Certification Path tab

Notice at the bottom of the prompt box:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

Double click on the Certificate Authority name NOT the server name


Appendix 1

Click Install Certificate.

The Certificate Import Wizard will launch.

Click Next.


Appendix 1

Select Place all certificates in the following store.

Click Browse.

Select Trusted Root Certification Authorities.

Click OK.


Appendix 1

Click Next.

Then click Finish.


Appendix 1

Click Yes on the Security Warning prompt.

Click OK on The import was successful prompt.


Appendix 1

Close and re-launch your browser. When you browse to your server this time you should no longer receive a security warning. You should see the Lock Icon and be prompted for your user name and password.


Appendix 2
Requesting, Processing & Installing a Client Certificate from a Domino CA 1

Whether you are requesting a Client Certificate from a 3rd Party CA or a Domino CA, the procedures are basically the same.

Browse to the CAs website.

Request a Client Certificate.

The CA will process the Certificate Request.

The CA will notify you via email that the certificate is ready for pickup.

Browse to the CAs Pickup site.

Paste in the Pickup ID.

Install the trusted root and signed certificate into your browser.


Appendix 2

Browse to your Domino CAs Certificate Request database

Select Request Client Certificate



Appendix 2

Complete the Client Request Form.

Remember No abbreviations in State/Province field.

Domino defaults to a High Grade Key for client certificates.

Submit Certificate Request.

Certificate Request Has Been Submitted will display on success.



Appendix 2

The next 3 Procedures are performed by the Registration Authority (RA)

Open Certificate Request database

Pending/Submitted Request view

Select appropriate document(s)

Click Submit Selected Requests



Appendix 2

Admin Request database

Certificate Request view

Open New Request document



Appendix 2

Click Edit Request

Click Approve Request"

LS11 Windows 7-213.jpgSHOW104.ppt.jpg


Appendix 2

Return to Certificate Request database

Pending/Submitted view

Click Pull Selected Requests

LS11 Windows 7-214.jpgClick OK



Appendix 2

The client receives an email with the pickup ID.

Copy the pickup ID to your clipboard.



Appendix 2

Browse back to the Certifciate Request application

Click Pick Up Client Certificate



Appendix 2

Paste the Pickup ID into the Pickup ID field

Click Pick Up Client Certificate

Click Install Certificate



Appendix 2

Click OK



Appendix 3
Export a X.509 Certificate from your browser and Import into your Notes ID 1

Once a certificate has been installed into your browser, you can Export the certificate and then Import it into your Notes ID file to be used for S/MIME Secure Email.

I will be exporting and importing a VeriSign Personal Certificate in this example.

Open your browser and select

Tools

Internet Options

LS11 Windows 7.jpg


Appendix 3

On the Content tab

Click Certificates

Windows 7 x64-153.jpg


Appendix 3

On the Personal tab

Select the certificate

Click Export

Windows 7 x64-154.jpgJohn Doe


Appendix 3

The Certificate Export Wizard will launch.

Windows 7 x64-155.jpgWindows 7 x64-156.jpgSelect Yes to export the private key

Click Next


Appendix 3

Select Personal Information Exchange PKCS #12(.PFX) as the format.

Be sure to select Include all certificates in the certification path if possible

Click Next

Windows 7 x64-173.jpgWindows 7 x64-171.jpgNOTE: If you fail to select Include all certificates in the certification path if possible, you will get the error to the right when you try to import your certificate into your Notes ID.


Appendix 3

Input and confirm a password to protect your private key.

Click Next

Windows 7 x64-158.jpgWindows 7 x64-159.jpgSelect the folder

Input a file name

Click Save

Johncert


Appendix 3

Click Next

Windows 7 x64-160.jpgWindows 7 x64-161.jpgReview the information

Click Finish

\JohnCert.pfx

\JohnCert.pfx


Appendix 3

Click OK on the Exporting your private exchange key prompt.

Windows 7 x64-162-1.jpgWindows 7 x64-163.jpgClick OK on the Export successful prompt.


Appendix 3

Open you Notes Client

File

Security

User Security

Input your password

Windows 7 x64-164-1.jpgWindows 7 x64-165.jpgJohn Doe


Appendix 3

Expand Your Identity

Your Certificates

Your Internet Certificates

Get Certificates

Windows 7 [email protected]

[email protected]

[email protected]

Internet Cert

Internet Cert


Appendix 3

Select Import Internet Certificates

Windows 7 x64-167.jpgWindows 7 x64-168.jpgBrowse to the .pfx file you just exported.

Click Open

\JohnCert.pfx

\JohnCert.pfx


Appendix 3

Select PKCS 12 encoded

Click Continue

Windows 7 x64-169-1.jpgWindows 7 x64-170.jpgInput the password used when you exported the key.

Click OK


Appendix 3

Review the certificates contained in the file and select Accept All.

Windows 7 [email protected]

[email protected]

[email protected]


Appendix 3

Input your Notes password

Click Log In

Windows 7 x64-176.jpgWindows 7 x64-177.jpgClick OK

John Doe/SpicySSL


