Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Which type of internet CA and certificates are you using in test and production?

Daniel Nashed  22 January 2022 11:44:50
As you might now I looked into many different CAs for testing and mostly use Let's Encrypt and other ACME based certs for production.
With ACME the type of certificates has dramatically changed.

For testing I built my own CA based on OpenSSL C code just to understand how it works.
There are other CAs like HashiCorp or the SmallStep CA.
Many of those CAs can be used as Sub-CAs in a corporate environments.

So for example you could use the SmallStep CA to distribute certs using the ACME protocol.

Is this something you are using today? Or are you using the more classical approach to use a CA from Microsoft as part of your AD?


e-mail CSR test lab offering

For test environments I have created my own lab CA to use e-mail to receive CSRs.
It's based on a pre-delivery agent requesting the certificate via HTTPS using the Lotus Script HTTP class to request a cert from my CA service using the native based OpenSSL code.
If anyone is interested to test manual flows for CertMgr, I can provide an e-mail CSR services for test lab environments with my own service.

It was also the perfect CA to use for the lab we setup in the DNUG CertMgr and certificates workshop.
I can't give away the CA itself. But there are many others to look into, which make more sense to use.


Your feedback

But I would also like to understand what you are using today in your environment for corporate certificates and also external trusted certificates.

Which internal CA do you use and how does the flow look like to get certificates?


Here are two references for CAs I am using in my lab and I have blogged about earlier.
And I am also adding an example certificate from my lab CA. I am using ECDSA with NIST-P521 and SHA512 signatures.
Also to test out if all of the software I am using fully supports ECDSA certs.

HashiCorp

https://www.hashicorp.com/products/vault

SmallStep CA

https://smallstep.com/acme-registration-authority/


Example Certificate

The signature for the leaf itself is still SHA-256 for now.

#0
Subject    : DE/NRW/Hilden/NashCom/IT/notes.nashcom.de
SAN        : *.nashcom.loc
Issuer     : X2 Server MiniCA/DominoLab

Not Before : 2022.01.13 21:09:44
Not After  : 2023.01.14 21:09:44 (expires in 357.0 days)

Serial     : 08EA0B176C796E5B4671015625F96979
Sign Alg   : ecdsa-with-SHA256
KeyUsage   : DigitalSignature
Extensions : KeyUsage, ExtKeyUsage
ExtKeyUsage: TLS Web Client Authentication, TLS Web Server Authentication
Key        : ECDSA NIST P-521
ASN1 OID   : secp521r1


AuthKeyId  : 88:B3:3A:E1:0B:FA:A7:6A:47:C5:BB:BF:0C:F0:71:ED:E4:3D:9D:E7
SubjKeyId  : 9D:6E:92:5C:AD:88:8D:49:A7:C9:5B:09:89:B5:02:33:6E:7D:7C:86
MD5        : C0:6A:F3:88:63:81:10:C2:B2:01:5D:EF:A8:D6:C3:F5
SHA1       : 87:D3:27:F1:8F:D7:9A:5F:EE:D8:39:D0:20:10:8D:B6:07:72:EC:B3
SHA256     : AB:E7:8D:AD:A9:99:B0:C9:27:4F:18:82:69:33:E9:DF:B3:34:B3:66:5C:D6:29:3E:F1:B3:86:C9:27:FD:E0:E1

-----BEGIN CERTIFICATE-----
MIICpzCCAgmgAwIBAgIQCOoLF2x5bltGcQFWJflpeTAKBggqhkjOPQQDAjAvMRkw
FwYDVQQDDBBYMiBTZXJ2ZXIgTWluaUNBMRIwEAYDVQQKDAlEb21pbm9MYWIwHhcN
MjIwMTEzMjEwOTQ0WhcNMjMwMTE0MjEwOTQ0WjBmMQswCQYDVQQGEwJERTEMMAoG
A1UECAwDTlJXMQ8wDQYDVQQHDAZIaWxkZW4xEDAOBgNVBAoMB05hc2hDb20xCzAJ
BgNVBAsMAklUMRkwFwYDVQQDDBBub3Rlcy5uYXNoY29tLmRlMIGbMBAGByqGSM49
AgEGBSuBBAAjA4GGAAQBIF7mICl23KzG8xJB4vcaeCMvPLDCjZH/d2FBRghm9+xB
v3cbwEczNqB0bLWbzS8EqcrlLc3Ijhtq5IHthAAUTo4BqcqSSN21R/8WCjrwHz24
p/1u8JMwLXqeGlysTLdT4RyciAIwgvE5nuTblgIfmS+HNUwCjzKt+TQ8rsuthXgW
xo2jgYwwgYkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHQ4EFgQUnW6SXK2IjUmnyVsJibUCM259fIYwHwYDVR0jBBgw
FoAUiLM64Qv6p2pHxbu/DPBx7eQ9necwGAYDVR0RBBEwD4INKi5uYXNoY29tLmxv
YzAKBggqhkjOPQQDAgOBiwAwgYcCQTXhCQ+OIqcpCRgyBmt/QYfbGiOVRyWdSnke
2PZRL01xsUPdICamsm99BshH2/u3vH1VtLpa924uSr4JupgkW+SnAkIAzvV5fU0/
PE6GFj81B7PU5qvSPvSsVDQpiQzVTcQ8xqXNj7oICFbMTqkP5KZ4vgzw7xHK528q
ytPx5NGq7Nk76b4=
-----END CERTIFICATE-----

#1
Subject    : X2 Server MiniCA/DominoLab
Issuer     : MiniCA-EC521/DominoLab

Not Before : 2021.07.26 05:31:28
Not After  : 2031.07.27 05:31:28 (expires in 9.5 years)

Serial     : 52C00B80CF7996CC5903A8CEB5B28A66
Sign Alg   : ecdsa-with-SHA512
KeyUsage   : CrlSign
Extensions : BasicConstraints, CA, KeyUsage
Key        : ECDSA NIST P-521
ASN1 OID   : secp521r1


AuthKeyId  : B3:C7:6D:6D:91:00:2A:EC:9D:3A:7A:06:46:6B:93:91:36:75:39:D0
SubjKeyId  : 88:B3:3A:E1:0B:FA:A7:6A:47:C5:BB:BF:0C:F0:71:ED:E4:3D:9D:E7
MD5        : 80:FF:91:E2:91:78:21:A4:D8:9F:4A:82:26:99:BF:CA
SHA1       : 3D:88:6E:18:03:F3:49:EC:51:BB:30:6D:06:A9:C1:7F:F6:60:CF:D7
SHA256     : B9:CD:37:F7:26:F8:8B:29:ED:7A:AD:84:A9:51:C0:D9:36:DE:17:CE:20:48:44:BB:CC:3F:82:F9:C9:E9:10:1D

-----BEGIN CERTIFICATE-----
MIICQzCCAaSgAwIBAgIQUsALgM95lsxZA6jOtbKKZjAKBggqhkjOPQQDBDArMRUw
EwYDVQQDDAxNaW5pQ0EtRUM1MjExEjAQBgNVBAoMCURvbWlub0xhYjAeFw0yMTA3
MjYwNTMxMjhaFw0zMTA3MjcwNTMxMjhaMC8xGTAXBgNVBAMMEFgyIFNlcnZlciBN
aW5pQ0ExEjAQBgNVBAoMCURvbWlub0xhYjCBmzAQBgcqhkjOPQIBBgUrgQQAIwOB
hgAEAMxHJRWA3lvRLvLS8BN5KceJbTG2ZaUyYsLwPSRyaBidO5UvlMNWYrc6zW4J
aitaAfTcJ4NRNsp9Dmg/tHN7uKUlAMBbN9u1u6ceI4dC+7KJJOwQe5oDQO7eRwLH
eSCQPlcfpTRZDmW14GcqPDi+AhAY6oI360H2sFIk6F2XynOhl83Po2MwYTAOBgNV
HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUiLM64Qv6p2pH
xbu/DPBx7eQ9necwHwYDVR0jBBgwFoAUs8dtbZEAKuydOnoGRmuTkTZ1OdAwCgYI
KoZIzj0EAwQDgYwAMIGIAkIBQU4r/BW8S8KKCHQthgIF29/UIz7f9Sbbps+k9TH/
V8cFiRkwX4/ILMmMqF/1YS1VOozGUKkJhPDWxQFC9QtL0IgCQgE85CqBtW3w3Gna
Swj7ousWo5wpH/jszDBVLG85+hdURJShPg6bMT/LAm7JD+djiPCdscsB3f+Qb7l8
5kizTqIwgA==
-----END CERTIFICATE-----

#2
Root       : MiniCA-EC521/DominoLab
Not Before : 2021.07.25 21:51:05
Not After  : 2031.07.26 21:51:05 (expires in 9.5 years)

Serial     : 50206CAFF845BDD08D4ABE6FBFCD2BAC
Sign Alg   : ecdsa-with-SHA512
KeyUsage   : CrlSign
Extensions : BasicConstraints, CA, SelfSigned, KeyUsage
Key        : ECDSA NIST P-521
ASN1 OID   : secp521r1


SubjKeyId  : B3:C7:6D:6D:91:00:2A:EC:9D:3A:7A:06:46:6B:93:91:36:75:39:D0
MD5        : F8:44:85:17:76:24:D1:E6:E9:BF:52:2D:86:86:00:66
SHA1       : 62:82:D0:D2:55:D0:36:36:6C:74:0D:10:BA:EC:02:D8:54:AF:2E:5E
SHA256     : 27:AB:C6:0C:CD:19:C1:5F:BA:8C:4F:FF:C4:28:8F:96:F8:D2:D7:62:FF:F7:D6:35:B1:EE:3F:EA:65:5E:D5:C0

-----BEGIN CERTIFICATE-----
MIICHTCCAX+gAwIBAgIQUCBsr/hFvdCNSr5vv80rrDAKBggqhkjOPQQDBDArMRUw
EwYDVQQDDAxNaW5pQ0EtRUM1MjExEjAQBgNVBAoMCURvbWlub0xhYjAeFw0yMTA3
MjUyMTUxMDVaFw0zMTA3MjYyMTUxMDVaMCsxFTATBgNVBAMMDE1pbmlDQS1FQzUy
MTESMBAGA1UECgwJRG9taW5vTGFiMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA
lrz/VRwjX4boxQblNcT078oNr1Fc013lw26FDSQNaKTdCa0ZyqKZeKGDF1QU35Av
rDxXSq8ye774BSjjaxe7H2EBn+oYQd2vVyYtZ45/neREkUVMJzEsnMBzhmuB4OfE
D8oUZh/SQSmDiwMXNuuphPaMEqgxs2oUZ+QJeQkgmGyiDgKjQjBAMA4GA1UdDwEB
/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSzx21tkQAq7J06egZG
a5ORNnU50DAKBggqhkjOPQQDBAOBiwAwgYcCQgErm7b8JJr9SXMUqf9DxmHAUUH/
4RMXmzFUqAcQC3Q28vdiXrEp6jqoZsnkAJ7emWuwfazRcYQEwztEWfaYFGprAwJB
QLv/YMYBAWMzSoYmHSKNwQS5Uvs57nZtJLrFH19hVcQvI2OUqbuZ0hXdFy0ty6hx
CCzGtxuYgTFDUzkohRWx7lU=
-----END CERTIFICATE-----

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]