While trying to setup a Lotus Domino server 6.5.x server to use LDAP over SSL, it appears that it does not support a 4096-bit key length.
When you try to import the root certificate into the Domino key ring, you receive the error "Certificate Signature does not match Certificate Content".
Fortunately for me, a friend of mine had mentioned this exact same problem he faced on a clients site months ago, and it stuck in my brain. You can find the KB article on IBM’s web site:
- Error during import "Certificate signature does not match contents"
- Does Lotus Domino server support 4096-bit trusted root keys?
So, if you have a 4096-bit root certificate, you will not be able to use it for SSL on Domino 6, and 7. If you upgrade to 8, this will be possible. Unfortunately it seems that many shops may not have made the jump to 7, and maybe waiting on 8 for awhile.
So SSL is not possible for LDAP communication if you are using such a key length, which means these applications could be a security concern for passing clear text information over the wire.
In all fairness, Domino 6.5 has been around since 2003, but I can’t believe this is something that could not be fixed with patch/hot fix as this could be a security issue. Instead it takes a complete upgrade of the Domino environment, which could yield more problems and take much more time and effort just to be secure in regards to LDAP. I am told it might be related to out of date RSA libraries, that were not included until Domino 8.
A workaround is to purchase 3rd party root certificates from Verisign which should be trusted by the Domino client already. This does increase the cost, but it could be cheaper than having to upgrade your Domino environment.
Recommended Reading:
LDAP over SSL/TLS: How secure is your Directory?
[...] Lotus Domino SSL issue with using 4096bit certificates for SSL Technorati Tags: Active Directory, Security, SSL, LDAP, Certificate [...]