With the new way of creating SSL certs for Domino a new opportunity occurred to me and actually it worked great. Because we create the certificates using OpenSSL the generated Key and certificate can actually be used on the same server to setup a FTPS server. Saidly because the Domino FTP server on OpenNTF.org doesn’t support FTPS I had to use the FileZilla server the setup was super simple.
Run the setup
go into settings and enable FTP over SSL select your .Key file and your certificate file that you got back from your certifier. Also check the other option to force all connections to the server to be FTPS.
And now you have a FTPS server that can deliver external content to you Domino server. The last thing you need to setup is the users and groups that should be able to connect to the server.
Update: Paul Farris commented that this is an SSL based FTP server not an SSH based so the real name should be FTPS not sFTP.
Hi Fredrik, Thanks but this is a FTPS server (FTP over SSL) not SFTP. SFTP is FTP over SSH which Filezilla server does not support.
I see actually didn’t know that there were a difference. now I know, thanks for the update.
That’s always a fun distinction to try to make extremely clear when talking to clients about file transfers. They’re both fine, but entirely different in implementation!
Actually what I meant was that you can reuse the certificate in the filezilla server.
To be honest, it is not a good idea to use Domino’s https anymore to the web. Domino downgrades this to SSL3 (poodle bug) and there are, afaik, no plans to upgrade to TLS.
There is a huge problem now that admins are rolling out policies disabling SSL3 on the browsers, totally killing access to Domino hosted websites. We rushed in haproxy as a front end and ditched the archaic keyring format while we were at it.
You can do the same (but only on Windows servers) installing IHS straight from the Domino install CD.
First this solution doesn’t use the Domino Http engine second. It’s secure to use the Http engine because IBM do take security seriously, and Domino do have support for TLS
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
Well, you have to admit implementing TLS 1.0 (!) in november 2014 is seriously late to the game. And I am not being argumentive. And this comes from a true Domino fan.
Fredrik, I think your item started off with starting a certificate chain with openssl with the intention of moving to to FTP, but ALSO to a keyring. You even called it a domino certificate in the title? Am I wrong understanding you really did mean moving the resuting keyring file to the domino http engine?