I am a part-time administrator, at best, so I only get to do these things once every 2-3 years.
I am reinstalling a Linux server that worked in 8.5.2. The SSL certificate is from GoDaddy. I have created the keyfile.kyr 1/2 dozen times without success. Following the instructions in the Domino Admin Help I
- create the key ring
- create a Request for "an SSL server certificate from the CA"
- At the Go Daddy site I access my SSL certificates and use the "Re-Key" option to create the request with the SHA-2 signature algorithm and the Go Daddy issuing organization
- Within a few minutes the download is available which I download. This download contains two files:
gd_bundle-g2-g1.crtand2b026decb857de.crt - Next I attempt to "Merge the CA certificate(s) as a trusted root into the server key ring file." from the
gd_bundle-g2-g1.crtfile. There are three certificates which have varying levels of success…
First certificate in the file is for the common name "Go Daddy Root Certificate Authority – G2". The attempt to merge it gets the result: "Certificate signature does not match contents"
The second certificate in the file is for the common name "Go Daddy Secure Certificate Authority – G2". The attempt to merge it gets the result: "Cannot find certificate issuer among trusted roots"
The third certificate in the file is for the common name "Go Daddy Root". The attempt to merge it succeeds.
Regardless of the order of these activities the errors persist on the first two.
When I attempt the next step of "Installing the certificate into the key ring" I get the message "Unrecognized Certificate Authority signature" which allows me to optionally merge the certificate anyhow. But using the certificate merged in this fashion results in the web site not being verified and the SSL lock is replaced by an exception exclamation point.
I have tried several of the other .crt files from Go Daddy available here: https://certs.godaddy.com/anonymous/repository.pki with no more success.
Thanks in advance for your ideas on this.
Best Answer
problem is that when you renewed the certificate, you accepted the default encryption method of SHA2 which is not supported properly yet. Needed to switch it to SHA1. SHA1 used to be the default but has recently changed. Something to be aware of going forward.
by default, godaddy now issues certificates in the higher new format. You can re-issue the cert at godaday and choose sha1.