Category: certificate manager

HCL Notes Crash While Importing PKCS12 Database to the HCL Domino Certificate Manager

Milan Matejic1 Comment

While I was working with HCL Domino Certificate Manager (CertMgr), which btw. is awesome, I encountered an issue, that caused HCL Notes to crash.

Namely, the import of a seemingly valid PFX file (PKCS12 database, downloaded directly from the customer’s TLS provider’s site) caused the HCL Notes to crash, after which the certificates and the private key contained in the file, were not imported. I could reproduce the issue with the same PFX file in multiple environments running HCL Domino 12.0.2 FPx, HCL Notes 12.0.2 as well as HCL Notes 14.0.

Upon closer inspection of the PFX file using OpenSSL, I’ve found that the Message Authentication Code (MAC), used to verify and protect the integrity of the PKCS12 database, was missing. This could be observed by issuing the following OpenSSL command:

openssl pkcs12 -in testNoMac.pfx -passin pass:testNoMac -passout pass:testNoMac -info

The output of the command, using OpenSSL version 3.1.2:

Warning: MAC is absent!
PKCS7 Data
Certificate bag
Bag Attributes
localKeyID: 24 FB 6A AF B8 E6 C7 73 F1 F0 71 EF E7 7E 6D 79 14 A7 B4 07
subject=CN = site.server.com
issuer=C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISBCP4MnSnMtntgtWJ9eTtay33MA0GCSqGSIb3DQEBCwUA

Looking into the matter a little bit further, I was able to produce PKCS12 databases using OpenSSL, for testing purposes, without MAC by using the “-nomac” switch, for example:

openssl pkcs12 -export -out testNoMac.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -nomac

Note: I don’t know why you would want to produce a PKCS12 database without MAC, if you know of a valid use case for doing so, please let me know.

Every PKCS12 database I’ve produced with “-nomac” switch would successfully crash HCL Notes. 🙂

As a workaround, I’ve imported the certificates and the private key needed, using the PEM format, which is also accepted by the HCL Domino Certificate Manager.

This issue is currently being inspected and, at the time being, I don’t have the information about which component, on the HCL Notes client, is causing the crash. I hope this saves you some time if you encounter the same issue.

UPDATE: In the meantime, it’s verified that the missing MAC information from the PKCS12 database is causing HCL Notes to crash. This issue has been reported and tracked under the SPR # DNADD46LU5.