IBM How to set up SSL using a third-party Certificate Authority (CA)... http://www-01.ibm.com/support/docview.wss?

rs=463&uid=swg21268695

1 of 4

How to set up SSL using a third-party Certificate

Authority (CA)
Technote (FAQ)
Question
You have decided to use a third-party certificate authority such as Verisign, Entrust, or Thawte for SSL setup on a
Lotus Domino server. What steps do you take to do so?

Answer
For detailed information, you can refer to the topic "Setting up SSL on a Domino server" in the Domino Administrator
Help. This document provides the required steps and some screen captures to help you complete the SSL setup when
you decide to use a third-party certificate authority (CA).
To begin, use a Lotus Notes client (not the Domino Administrator client) to open the Server Certificate Admin database,
which should be created by default when you set up the server. However, should you need to create this database, use
the "Server Certificate Admin" (csrv50.ntf) template when doing so. You may need to select "Show advanced templates"
in order to find this template when creating the database.
NOTE: There is a known issue where some users receive the error "Invalid or nonexistent document" when using the
server replica of the Server Certificate Admin database. To correct the problem, create a local replica of this database
and continue using the local replica when setting up SSL. For additional information, refer to Technote 1106171 .
When you open the Server Certificate Administration database, you see the following steps listed:
(1) Create Key Ring
(2) Create Certificate Request
(3) Install Trusted Root Certificate into Key Ring
(4) Install Certificate into Key Ring
Remaining steps
Additional references

Step 1: Create key ring

In this step, you create the SSL key ring file and password files needed to set up SSL on your Domino server. Domino
creates a *.kyr SSL key ring file and also an *.sth file that contains the password for the associated .kyr file. Both files
are needed to set up SSL on your Domino server. The .kyr and .sth files are created locally on the workstation being
used at the time of the keyfile creation.
When you select Create Key Ring, a form appears. Most of the fields in this section are fairly self-explanatory.
Important: You must ensure that the host name in the "Common Name" section of Step 1 matches with the URL of the
Web site for which you are setting up SSL. For example, if you are setting up SSL for www.ibm.com, then you need to
put "www.ibm.com" in the "Common Name" field. Do not include "http://" or "https://" in this field, as those elements are
the protocol used to access the Domino Web server.
Example screen capture of Create Key Ring step:

Once you fill in the form, you click Create Key Ring to complete this step.
Back to top
Step 2: Create certificate request

Step 2 creates the site certificate request that you send to your third-party Certificate Authority (CA). To create your SSL
certificate request, perform the following steps:
a. Click "Create Certificate Request" from the main screen in the Server Certificate Admin database.

13/11/2014 19:53

IBM How to set up SSL using a third-party Certificate Authority (CA)... http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21268695

2 of 4

b. In the form that appears, confirm that the "Key Ring File Name" field is pointing to the local .kyr file.
c. Choose the method by which you will be sending the certificate request to your CA (such as e-mail or pasting into a
form on your CA's website).
d. Click the "Create Certificate Request" button. You see a screen titled "Certificate Request Created."
Screen capture of Certificate Request Created:

e. Copy the certificate request, including the BEGIN and END lines, to the clipboard. Send your request to the Certificate
Authority in e-mail or by pasting the information into a form on your CA's Web site.
Note: You need to leave the .kyr and .sth files in your Notes client data directory in order to install the CA's trusted root
certificate in Step 3 (if necessary) and the stamped site certificate you will receive from your CA in Step 4 later.
Back to top
Step 3: Install trusted root certificate into key ring
Performing Step 3 to install the trusted root certificate into your key ring file may not be necessary depending on whom
you chose as your CA. Domino already includes trusted root certificates for some of the more popular certification
authorities such as Verisign and Entrust. Because CA's generally have multiple trusted root certificates for various
purposes, you need to verify the specific trusted root certificate that your CA used when "stamping" your site certificate
request. If you are unsure as to what specific trusted root certificate was used by your CA, contact your CA to determine
this information.
Once you have determined the trusted root used for your site certificate, you can see if your CA's trusted root is already
included in Domino. To do so, select "View & Edit Key Rings" in the Server Certificate Admin database, which will show
the following view:
Screen capture of "View & Edit Key Rings":

If your CA's trusted root is included in this list, then proceed to Step 4.
If your CA's trusted root is not included in this, then complete Step 3 before installing the stamped certificate in Step 4.
You will not be able to install your site certificate in Step 4 if the necessary trusted root certificate is not present
in the SSL key ring file. When the site certificate is installed in Step 4, Domino ensures that its CA's associated trusted
root certificate is already present before proceeding with the installation.
To proceed with Step 3, you need to find out the specific trusted root certificate used by your CA for stamping your site
certificate, and then obtain it from your CA. Most CA's have their trusted root certificates available for download on their

13/11/2014 19:53

IBM How to set up SSL using a third-party Certificate Authority (CA)... http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21268695

3 of 4

Web site. You can also e-mail your CA for a copy of the trusted root should you not find the trusted root certificate you
need on your CA's Web site.
In certain cases, some CA's also use an intermediate certificate in addition to the CA's trusted root certificate. This
intermediate certificate must be installed after the CA's trusted root certificate in Step 3 but before the installation of the
site certificate in Step 4. You can contact your CA to find out if you will need an intermediate certificate from them as
well.
If you need to complete Step 3 for your configuration, follow the detailed steps in "Merging a CA certificate as a trusted
root " in the Domino Administrator Help.
Back to top
Step 4: Install certificate into key ring

In this step, you install the site certificate you received from your CA. The site certificate format is either plain text in an
e-mail or as a .cer file. To do this, perform the following steps:
a. Select Step 4: "Install Certificate into Key Ring" in the Server Certificate Admin database.
b. Select the certificate source (file or clipboard) and either (1) provide the .cer file name or (2) paste in the stamped
certificate into the "Certificate from Clipboard" field. Note that a pasted site certificate must include the "Begin
Certificate" and "End Certificate" lines.
c. Click the "Merge Certificate into Key Ring" button.
Screen capture of completed "Install Certificate into Key Ring" form:

A message displays showing that you have successfully installed your SSL site certificate.
Back to top
Remaining steps
After completing these four steps in the Server Certificate Admin database, complete the SSL setup on your Domino
Web server with these steps:
1. Copy or FTP the local SSL key ring files (.kyr and .sth) from your Notes client data directory into the Domino server's
data directory.
2. Set the appropriate permissions on the SSL key ring files to ensure the Domino server can access the files. For
Windows, the proper permissions are usually automatically set when copying/pasting the files to the server. For
IBMi/OS400, the file owner should be set to QNOTES. For UNIX, set the file permissions to the same owning ID that
owns all Domino server files.
3. Update the Server document to begin using the new SSL key ring file using the appropriate method for your web
server configuration. (To tell if you are using Internet Site documents, open the server document to the Basics tab, and
verify the value of the field "Load Internet configurations from Server\Internet Sites documents" If this is set to Enabled,
you are using Internet Site documents, which are found in the Domino Directory under Configuration - Web - Internet
Sites.)
a. If you are not using Internet Site documents, go to "Ports -> Internet Ports" in the Server
document. Enter the SSL key ring file name in the "SSL key file name" field.
Screen capture of SSL settings in Server document:

b. If you are using Internet Site documents, go to the "Security" tab in the respective Internet Site

13/11/2014 19:53

IBM How to set up SSL using a third-party Certificate Authority (CA)... http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21268695

4 of 4

document for which the SSL key ring file was created and update the "Key file name" field.
4. Ensure that your server's SSL port status is set to "Enabled" in the Server document under "Ports -> Internet Ports ->
Web".
5. Restart the HTTP task by issuing the command "tell http restart" on the Domino server console.
6. To test, access the Web site with the new SSL certificate using a Web browser. If you are using Internet Explorer, you
can double-click the padlock on the lower-right corner to display the SSL certificate information.
Back to top
Additional references

The following technotes describe common SSL setup problems or other general information:
Quick guide to setting up SSL using Domino as the Certificate Authority (# 1114148)
How to renew an SSL certificate stamped by a third-party Certificate Authority (# 1210804)
Error 'Invalid keyfile accessed' when installing third-party SSL site certificate (# 1252789)
Error: 'Invalid or nonexistent document' when using Server Certificate Admin database (# 1106171)
What is a Trusted Root? (# 1093167)
Using Starfield Technologies or GoDaddy.com as a Trusted Root for SSL (# 1171707)
Unable to Merge VeriSign Certificate into Domino SSL Keyring File (# 1138507)
Back to top

Related information
A simplified Chinese translation is available

Document
information
More support for:
IBM Domino
Web Server
Software version:
6.0, 6.5, 7.0, 8.0, 8.5, 9.0
Operating system(s):
AIX, Linux, Solaris,
Windows
Reference #:
1268695
Modified date:
2014-09-05

13/11/2014 19:53