After some MAJOR headaches, I was able to renew my SSL certificate. Not only did I run into the dreaded 2048 encryption strength (which the 7.x csrv50.ntf doesn't support) but also the MD5 crap! (Most require SHA-1)
Unbelievable, right? Jeez. But have no fear. I have it figured out with a bunch of help from this article:
The only difference in this article and what I actually did is to use a -sha1 switch on one of the openssl statements, and submit the CSR to Verisign. Other than that, the steps are pretty much the same. But here they are simplified. And I sure hope you have a Linux server :) If not, I don't have a good solution. Also, keep in mind. I am not a Linux admin at all and have no real experience with SSL. I am a programmer. So, some of the below terminology may not be correct.
1. Login to your Linux server console.
2. Issue this command: openssl genrsa -des3 -out serverName.key 2048 -sha1. Enter a passphrase
3. OK. Now, you should have a serverName.key in your home directory.
4. Now, issue this command: openssl req -new -key serverName.key -out serverName.csr. Enter the passphrase.
5. Enter in your CSR information for renewal (ie. country, etc)
6. Now, open up the serverName.csr file (In your home directory) and paste into Verisign's CSR request (or other 3rd party, I guess...Assuming it will work the same)
7. Get back your certificate, and create a serverName.crt file with the contents. Copy up to your home directory.
8. Now, issue this command: openssl pkcs12 -export -in serverName.crt -inkey serverName.key -out serverName.p12. Enter the passphrase.
9. Now, download this (from the article): ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip
. I tried Windows 7 to no avail. But it worked on XP. I know. Yet another hoop.
10. Extract file. Start a dos prompt. Change directory to extracted file directory.
11. Run gskregmod.bat Add (make sure Add is proper)
12. Now, type runikeyman.bat
13. Open your serverName.kyr file from your server. (I would recommend copying it down first and backing up the good one) Enter your passphrase.
14. Now, click 'Export/Import'. Select 'Import Key' and browse to serverName.p12. Type in your passphrase
15. Close ikeyMan, and copy the serverName.kyr and serverName.sth files backup to your server. This should do it!
** NOTE. No need to open Server Certificate Admin. The CSR you will generate is no good (because MD5) and if Domino 7.x, no 2048. You can, of course, download the Domino 8.x template, but it still encrypts using MD5 **