0

I used the make_certs.cmd from Domino App Dev Pack 1.0.12-2786, I have 3 questions.

  1. why I didn't get the output ca.seq file.

  2. The .pem file are convert by myself , should I use the serverkey.pem and servercrt.pem to import into the porton server.

  3. Should I create the user called proton-server, app1, app2, iamclientforproton ?

    @echo off setlocal

    if "%OPENSSL_CONF%"=="" ( echo OPENSSL_CONF is required for openSSL on Windows. exit /B 1 )

    @REM CUSTOMIZE: Change the parameters here

    @REM The subject name of the root certificate. SET ROOT_SUBJECT=/O=Org/CN=OrgCA @REM The number of days the root certificate will be valid. SET ROOT_VALIDITY=3650 @REM The password to create and access the root certificate. SET ROOT_PASSWORD=pass:xxxxxxxxxx @REM Number of days leaf certificate(s) will be valid. SET LEAF_VALIDITY=365 @REM The password to create and access the leaf certificate(s). SET LEAF_PASSWORD=pass:xxxxxxxxxx

    call :create_root || exit /B 1

    @REM CUSTOMIZE: Change the list of certificates to create and their attributes. @REM Parameters to create_leaf: "file-name" "subject-name" "optional-subject-alternate-names" @REM call :create_leaf server "/O=Org/CN=admin" "DNS:serv.org.com" || exit /B 1 call :create_leaf server "/O=Org/CN=proton-server" "DNS:domino1.serv.org.com" || exit /B 1 call :create_leaf app1 "/O=Org/CN=app1" "" || exit /B 1 call :create_leaf app2 "/O=Org/CN=app2" "" || exit /B 1 @REM CUSTOMIZE: Change the list of certificates to create and their attributes. @REM Parameters to create_leaf: "file-name" "subject-name" "optional-subject-alternate-names" REM call :create_leaf server1 "/O=Org/CN=admn" "DNS:domino1.serv.org.com" || exit /B 1 REM call :create_leaf server2 "/O=Org/CN=a" "DNS:domino2.serv.org.com" || exit /B 1 call :create_leaf iamapp "/O=Org/CN=iamclientforproton" "DNS:auth.serv.org.com" || exit /B 1 REM call :create_leaf finapp "/O=Org/OU=Apps/CN=finapp" "" || exit /B 1 REM call :create_leaf salesapp "/O=Org/OU=Apps/CN=salesapp" "" || exit /B 1 REM call :create_leaf hrapp "/O=Org/OU=Apps/CN=hrapp" "" || exit /B 1 REM call :create_leaf storeapp "/O=OrgS/OU=Apps/CN=storeapp" "" || exit /B 1

    @REM Show details for certificates for /r %%v in (*.crt) do (call :show_cert %%v || exit /B 1) exit /B 0

    :show_cert echo on openssl x509 -in "%1" -text -noout -certopt no_pubkey,no_sigdump || exit /b 1 @echo off exit /b 0

    :log echo. echo. echo %* pause exit /b 0

    @REM Creates CA cert and private key :create_root set LOG=CREATE_ROOT: if exist ca.key echo ca.key already exists, skipping&exit /B 0 if exist ca.crt echo ca.crt already exists, skipping&exit /B 0

     call :log %LOG% Generate ROOT private key
 echo on
 openssl genrsa -passout "%ROOT_PASSWORD%" -des3 -out ca.key 4096 || exit /B 1
 @echo off

 call :log %LOG% Generate ROOT self-signed certificate
 echo on
 openssl req -passin "%ROOT_PASSWORD%" -new -x509 -days %ROOT_VALIDITY% -key ca.key -out ca.crt -subj "%ROOT_SUBJECT%" -sha256 || exit /B 1
 @echo off

 exit /B 0

    @REM Creates certs using the CA and ca private key as signer @REM Three parameters: @REM Name - Name given to the certificate and private key file @REM Subject - Subject used in the certificate. @REM SANS - Subject Alternate Name which is domain name used for TLS host verification. :create_leaf set LOG=CREATE_LEAF: set NAME=%~1 set SUBJ=%~2 set SANS=%~3

     if exist %NAME%.key echo %NAME%.key already exists, skipping&exit /B 0
 if exist %NAME%.crt echo %NAME%.crt already exists, skipping&exit /B 0

 call :log %LOG% Generate %NAME%.key
 echo on
 openssl genrsa -passout "%LEAF_PASSWORD%" -des3 -out %NAME%.key 4096 || exit /B 1
 @echo off

 call :log %LOG% Generate Certificate Sign Request - CSR
 echo on
 openssl req -passin "%LEAF_PASSWORD%" -new -key %NAME%.key -out %NAME%.csr -subj "%SUBJ%" -sha256 || exit /B 1
 @echo off

 if "%SANS%" == "" (call :SIGN_NOSANS || exit /b 1) else (call :SIGN_WITHSANS || exit /b 1)

 call :log %LOG% Remove passphrase from Key
 echo on
 openssl rsa -passin "%LEAF_PASSWORD%" -in %NAME%.key -out %NAME%.key || exit /B 1
 @echo off

 call :log %LOG% Remove CSR
 del %NAME%.csr
 exit /B 0

    :SIGN_WITHSANS @REM Create a config file to pass the SAN extension call :log %LOG% Create signed certificate (WITHSANS) echo subjectAltName=%SANS% > %NAME%sans.cfg echo on openssl x509 -passin "%ROOT_PASSWORD%" -req -days %LEAF_VALIDITY% -in %NAME%.csr -CA ca.crt -CAkey ca.key -out %NAME%.crt -CAcreateserial -CAserial ca.seq -extfile %NAME%sans.cfg || exit /B 1 @echo off del %NAME%sans.cfg exit /b 0

    :SIGN_NOSANS call :log %LOG% Create signed certificate (NOSANS) echo on openssl x509 -passin "%ROOT_PASSWORD%" -req -days %LEAF_VALIDITY% -in %NAME%.csr -CA ca.crt -CAkey ca.key -out %NAME%.crt -CAcreateserial -CAserial ca.seq || exit /B 1 @echo off exit /b 0

the result file of make_certs.cmd

Cora Kwok
  • 13
  • 6

1 Answers1

1

I think I need to ask you to open a ticket with support so we can go over each of these questions. I generally don't mind helping people on SO, but it bypasses our ability to see how many people use our product. There are also quite a few questions here and I want to make sure we get you working properly.

Can you open a support case?

ddumont
  • 583
  • 3
  • 14
  • Sorry, I cannot. By using the verification scripts, the ca.crt with the following error C:\Certs>openssl s_client -connect serv.org.com:3003 --quiet -CAfile C:\Certs\ca.crt depth=1 O = Org, CN = OrgCA verify return:1 depth=0 O = Org, CN = proton-server verify return:1 58150000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl\record\rec_layer_s3.c:309: – Cora Kwok Jul 06 '22 at 04:21