How to import a signed wildcard Certificate into Lotus Domino?

Lately I wanted to install a wildcard certifcate that I had ordered at
Thawte, which works perfectly fine for e.g. Apache, Postfix and cyrrus IMAP
into Lotus Domino 8.5. Turns out, this is not just a piece of cake.
Although there is an import function within the
“Server Certificate Admin”, it was giving me a hell to get it running,
so I considered to write this little Howto.

Even IBM Support suggested to create a new Certificate Request -
but Thawte would have charged us for that one and I did not like
the idea to pay twice for the same service…

Ok, let’s get going…

At first you need to create your keyring file by opening the
“Server Certificate Admin” Database (certsrv.nfs) within
the Lotus Notes Client (not the Administrator Client).
It creates (per default) a file called keyfile.kyr and -very important-
keyfile.sth (this is needed later on, when the SSL-services starts,
it reads out the scrambled passphrase for the keyring file from here).

You need to enter some basic information about your site, like the
location of the keyring file (on your clients file system), key size,
common name organisation etc… When you are finished hit the
“Create Key Ring” Button.

Now you need to install the Root Certificate from you CA (in my case Thawte)
as “Trusted Root Certificate” into the keyring (unless it’s already there),
because otherwise it would not let you import the actual Certificate.
As you can see, I used the Base64 encoded Cert and pasted it via the Clipboard.

Note: the Root Certificates for Thawte can be found here:
http://www.thawte.com/roots/

If you now look at “View & Edit Keyrings” you can see your freshly imported
Root Cert:

The keyring file is prepared now and ready to get the actual cert imported.

Now look for some computer with openssl installed (Linux just ships with it),
you need it to convert you cert into the .p12 format like:

openssl pkcs12 -export -out <new_key_pair_filename>.p12 -inkey
<private_key_filename>.key -in <certificate_filename>.crt

Of course we need the new_key_file.p12 (dont’ forget the export password,
you will need that later).

Next, you want to install IBM’s IKEYMAN tool on some machine.
It has certain OS requirements – I got it running  within a WinXP VM.
Copy your keyfile.kyr and new_key_file.p12 onto that machine.

Start IKEYMAN and open the keyfile.kyr. With “Personal Certificates”
selected, click on “Import” and choose your freshly created
new_key_file.p12 and save:

Copy your freshly updated keyring.kyr and keyring.sth (from the very
beginning) into the data directory of your Lotus Domino server.
Open the Server Configuration Document within the Lotus Administrator.
Go to “Ports”->”Internet Ports”-”SSL key file name”.
Enter the name of your freshly updated copied keyfile.kyr and you’re all set.

Good Luck.

Uninstall Lotus Notes 8.5 from Mac OSX

At some point I wanted to completely erase and reinstall my Lotus Notes 8.5 installation.
Turns out, that dragging the app into the Trash is not enough – the user preferences are still kept.
But finally I found help in the IBM-Documentation-Jungle:

You can uninstall IBM^® Lotus^® Notes^® by dragging Notes.app from /Applications to the trash. This preserves user data. You can also uninstall Notes using the uninstaller application supplied with the Notes install media. This preserves user data. As well, you can also uninstall Notes by dragging the following items to the Apple^® Mac OS X^® trash bin:

• Notes.app
• ~/Library/Application Support/Lotus Notes Data folder (”~” = user’s home directory)
• ~/Library/Preferences/Notes Preferences
  • /Library/Receipts/Lotus Notes Installer.pkg
  • /Library/Receipts/xpdcoreinstaller.pkg

Note To reinstall after uninstalling, you may also need to delete the following items prior to reinstalling Notes:

Note If you installed the Notes basic configuration, rather than the standard configuration, you can uninstall the Notes basic configuration by dragging Notes.app from /Applications to the trash. This preserves user data. You can also uninstall Notes by dragging the following items to the Mac OS X trash bin:

• /Applications/Notes.app
• ~/Library/Application Support/Lotus Notes Data folder (”~” = user’s home directory)
• ~/Library/Preferences/Notes Preferences
• /Library/Receipts/Lotus Notes Installer.pkg

That did the trick for me.
Next time I started the installer, it had forgotten everything and started from scratch:

Lotus Notes – Blessing or Curse?

Ok. They did it. After one year of spending heaps of time in endless meetings, they finally
chose Lotus Notes Domino to be _the_ groupware application in my company.
And guess what – I’m one of the guys who will be responsible for implementing it.

*Sigh.*

I have really mixed emotions concerning this decision.
on one hand the whole domino package is supposed to provide all these neat features like:

• native rich clients (not only for Windows but) for MAC OSX and Linux as well
• fail over redundancy at application level – if one server crashes – no problem – 5 others are already waiting and the best: the user does not even realize
• working sync support for various mobile devices “over the air” – no more: “My phone does not sync with my laptop, Please help.”

on the other hand

• the client is so cumbersome (especially on older systems)  and hungry for resources, that I’ve already heard many of my users claiming that they would not use such a “monster” just for entering a single appointment
• IBM officially supports Ubuntu only, on the Linux side
• you can not connect iCal or Thunderbird lightning or Evolution just like that to it (yes, we _are_ a general store in terms of supported OS’s)
• last but not least it puzzles me to see those Louts-hate-posts out there like:
  http://lotusnotessucks.4t.com/
  http://www.guardian.co.uk/technology/2006/feb/09/guardianweeklytechnologysection

The good news is, that the these posts are from 2006 – so hopefully IBM did their home work in between and we will see a happy ending
for my users…