Hi there,

Having posted a course on how to set up the AppDevPack with the fantastic Mr. Graham Acres leads to more and more questions and help requests.

One aspect that keep re-occurring a lot is some confusion on SSL Certificates and which one is used by which part of system and has what requirements.

Therefore, I added the following charts:



 

         

                 
Certificate, Key-File and KYR-File

                 

Card 1: Certs for PROTON Server Tasks


         
         

         

                 
Self Signed CA

                               

SSL Encryption for gRPC communication between domino-db, IAM and PROTON Task on the domino server. KYR File needed.


                         

Use the make_xxxx scripts in the AppDevPack documentation to create the CA and the certificates needed as well as the KYR File for Proton Task on your Domino Server.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)  


         

 




 

         

                 
Certificate, Key-File

                 

Card 2: Certs for IAM Server


         
         

         

                 
Used in Browser

                               

These certs are the ones for the IAM Frontend, used to create apps and settings for IAM as well as for the OAuth Endpoints.


                         

Browser trusted CA (e.g. Let's Encrypt) or self signed &import


         

 




 

         

                 
Certificate, Key-File

                 

Card 3: IAMAccessor Proton app


         
         

         

                 
SELF SIGNED CA, SAME AS PROTON SERVER

                               

These certs are used by IAM to Access it's applications (dbs) on the domino server using domino-db and proton. Use the same CA you used for the Proton Server certificate. Create a new user on Domino (iamaccessor) and import the *.crt file as Internet Certificate.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)


         

 




 

         

                 
Certificate, Key-File

                 

Card 4: Proton Applications


         
         

         

                 
SELF SIGNED CA, SAME AS PROTON SERVER

                               

These certs are used by your Node.js app to access databases on the domino server using domino-db and proton. Use the same CA you used for the Proton Server certificate. Create new users on Domino (sample are app1 and app2) and import the corresponding *.crt file as Internet Certificate.


                         

Joint CA for PROTON SSL Certificates and Application Certificates (trust Chain)


         

 



 

         

                 
Certificate, Key-File

                 

Card 5: Node.js Application, Web Server


         

         

                 
Public of Self Signed

                               

These certs are used by your Node.js app to be accessed securely by a client application and also in conjunction with IAM to be accessed by authoization calls and redirects from IAM.


                         

Root Cert must be available to IAM in /config/certs/ca


         

 



Here's what that looks like:

Image:Due to some confusion - SSL Certs and the Domino AppDevPack

Hope this helps to clarify what is used when and where.

In case you are german speaking and would like to know about how to set up a self signed CA using OpenSSL follow the article series on Assono's Blog:


https://www.assono.de/blog/neue-artikelserie-eigene-mehrstufige-zertifizierungsstelle-aufsetzen-mit-openssl

Cheers,

Heiko.  
Heiko Voigt   |   10 August 2020 14:29:26   |    Domino  domino-db    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found