Creating SSL certificates for Domino Web servers is easy, especially for
self-certified certificates:
- Create a database from the "StdNotes50SSLAdmin" template (certsrv.ntf),
- open it,
- click on "Create Key Ring with Self-Certified Certificate",
- fill out the form,
- copy the created files to the Domino server and
- finally update the server document to point to your files.
That's it.
Self-certified SSL certificates are cheap (no costs beside your time),
but cannot be verified using the known and trusted root certificates of
companies like Verisign.
Therefore, this kind of SSL certificates
is most often used for internal Web servers only, but with Lotus Notes
Traveler, these certificates have seen a renaissance.
But, there is one problem: These
certificates are valid for only one year from the date of their
creation with no configuration or option to change this, nor a way to extend
validity for existing ones.
This means that if you use a self-certified
SSL certificate for your Lotus Notes Traveler server, you have to replace
it year after year and each Traveler user gets a warning every time.
But as (nearly) always with Lotus Notes
and Domino, there is a way to accomplish this task...
When you look at the code behind the "Create
Key Ring with Self-Certified Certificate" button in the "CertAdminCreateKeyringWithSelfCert"
form, you'll find that the critical piece of code is hidden in a C function
called ProcessSecurityCmd
in the dmsecadm.dll:
"CertAdminCreateKeyringWithSelfCert"
form with button
Declare
Function
ProcessSecurityCmd Lib
"_dmsecadm"
(Byval
cmdName As
String,
Byval cmdArgs As
Lmbcs
String,
Byval
OutBuf As
String,
Byval
szOutBuf As
Integer)
As
Integer
I haven't found any documentation about
this function, not even about this dll file.
All arguments for this function are
collected into one string: cmdArgs.
After a deep dive into the dll file using Strings
I found a good candidate for a parameter, which could be used to set the
validity of the certificate in days: ValidDays 
Thus I simply tried to add this parameter
to the cmdArgs
string:
Modification of the button's code
I added the following code just below
the initialization of cmdArgs:
'<modified author="Thomas Bahn
<tbahn@assono.de>" timestamp="2012-07-31"
' description="change
how long the certificate is valid (in days); 7305 means: 20 years">
CmdArgs = CmdArgs &
"ValidDays=7305;"
'</modifed>
For testing, I just set the validity
to 7305 days, that's 20 years. But you could easily add a field to the
form and use its current value instead.
Then I created a new key ring:
The end date in the dialog box is lying
directly into your face, it's always a year from today (value formula:
@Adjust(
@Today;1;0;0;0;0;0)):
To check the created certificate, navigate
to "View & Edit Key Rings",
click on "Select Key Ring to Display",
enter the file name of your key ring
file,
enter the password and
open the Site Certificates - KeyPair
document.
Now you can verify that the certificate
is valid for 20 years:
