How to set up SSL using a third-party Certificate Authority (CA)

You have decided to use a third-party certificate authority such as Verisign, Entrust, or Thawte for SSL setup on a Lotus® Domino® server. What steps do you take to do so?

Solution:

For detailed information, you can refer to the topic "Setting up SSL on a Domino server" in the Domino Administrator Help. This document provides the required steps and some screen captures to help you complete the SSL setup when you decide to use a third-party certificate authority (CA). To begin, use a Lotus Notes client (not the Domino Administrator client) to open the Server Certificate Admin database, which should be created by default when you set up the server. However, should you need to create this database, use the "Server Certificate Admin" (csrv50.ntf) template when doing so. You may need to select "Show advanced templates" in order to find this template when creating the database. NOTE: There is a known issue where some users receive the error "Invalid or nonexistent document" when using the server replica of the Server Certificate Admin database. To correct the problem, create a local replica of this database and continue using the local replica when setting up SSL. For additional information, refer to Technote 1106171 . When you open the Server Certificate Administration database, you see the following steps listed: (1) Create Key Ring (2) Create Certificate Request (3) Install Trusted Root Certificate into Key Ring (4) Install Certificate into Key Ring Remaining steps Additional references Step 1: Create key ring In this step, you create the SSL key ring file and password files needed to set up SSL on your Domino server. Domino creates a *.kyr SSL key ring file and also an *.sth file that contains the password for the associated .kyr file. Both files are needed to set up SSL on your Domino server. The .kyr and .sth files are created locally on the workstation being used at the time of the keyfile creation. When you select Create Key Ring, a form appears. Most of the fields in this section are fairly self-explanatory. Important: You must ensure that the host name in the "Common Name" section of Step 1 matches with the URL of the Web site for which you are setting up SSL. For example, if you are setting up SSL for www.ibm.com, then you need to put "www.ibm.com" in the "Common Name" field. Do not include "http://" or "https://" in this field, as those elements are the protocol used to access the Domino Web server. Example screen capture of Create Key Ring step: Once you fill in the form, you click Create Key Ring to complete this step. Back to top Step 2: Create certificate request Step 2 creates the site certificate request that you send to your third-party Certificate Authority (CA). To create your SSL certificate request, perform the following steps: a. Click "Create Certificate Request" from the main screen in the Server Certificate Admin database. b. In the form that appears, confirm that the "Key Ring File Name" field is pointing to the local .kyr file. c. Choose the method by which you will be sending the certificate request to your CA (such as e-mail or pasting into a form on your CA's website). d. Click the "Create Certificate Request" button. You see a screen titled "Certificate Request Created." Screen capture of Certificate Request Created: e. Copy the certificate request, including the BEGIN and END lines, to the clipboard. Send your request to the Certificate Authority in e-mail or by pasting the information into a form on your CA's Web site. Note: You need to leave the .kyr and .sth files in your Notes client data directory in order to install the CA's trusted root certificate in Step 3 (if necessary) and the stamped site certificate you will receive from your CA in Step 4 later. Back to top Step 3: Install trusted root certificate into key ring Performing Step 3 to install the trusted root certificate into your key ring file may not be necessary depending on whom you chose as your CA. Domino already includes trusted root certificates for some of the more popular certification authorities such as Verisign and Entrust. Because CA's generally have multiple trusted root certificates for various purposes, you need to verify the specific trusted root certificate that your CA used when "stamping" your site certificate request. If you are unsure as to what specific trusted root certificate was used by your CA, contact your CA to determine this information. Once you have determined the trusted root used for your site certificate, you can see if your CA's trusted root is already included in Domino. To do so, select "View & Edit Key Rings" in the Server Certificate Admin database, which will show the following view: Screen capture of "View & Edit Key Rings": If your CA's trusted root is included in this list, then proceed to Step 4. If your CA's trusted root is not included in this, then complete Step 3 before installing the stamped certificate in Step 4. You will not be able to install your site certificate in Step 4 if the necessary trusted root certificate is not present in the SSL key ring file. When the site certificate is installed in Step 4, Domino ensures that its CA's associated trusted root certificate is already present before proceeding with the installation. To proceed with Step 3, you need to find out the specific trusted root certificate used by your CA for stamping your site certificate, and then obtain it from your CA. Most CA's have their trusted root certificates available for download on their Web site. You can also e-mail your CA for a copy of the trusted root should you not find the trusted root certificate you need on your CA's Web site. In certain cases, some CA's also use an intermediate certificate in addition to the CA's trusted root certificate. This intermediate certificate must be installed after the CA's trusted root certificate in Step 3 but before the installation of the site certificate in Step 4. You can contact your CA to find out if you will need an intermediate certificate from them as well. If you need to complete Step 3 for your configuration, follow the detailed steps in "Merging a CA certificate as a trusted root " in the Domino Administrator Help. Back to top Step 4: Install certificate into key ring In this step, you install the site certificate you received from your CA. The site certificate format is either plain text in an e-mail or as a .cer file. To do this, perform the following steps: a. Select Step 4: "Install Certificate into Key Ring" in the Server Certificate Admin database. b. Select the certificate source (file or clipboard) and either (1) provide the .cer file name or (2) paste in the stamped certificate into the "Certificate from Clipboard" field. Note that a pasted site certificate must include the "Begin Certificate" and "End Certificate" lines. c. Click the "Merge Certificate into Key Ring" button. Screen capture of completed "Install Certificate into Key Ring" form: A message displays showing that you have successfully installed your SSL site certificate. Back to top Remaining steps After completing these four steps in the Server Certificate Admin database, complete the SSL setup on your Domino Web server with these steps: 1. Copy the local SSL key ring files (.kyr and .sth) from your Notes client data directory, and paste them into the Domino server's data directory. 2. Update the Server document to begin using the new SSL key ring file using the appropriate method: a. If you are not using Internet Site documents, go to "Ports -> Internet Ports" in the Server docment. Enter the SSL key ring file name in the "SSL key file name" field. Screen capture of SSL settings in Server document: b. If you are using Internet Site documents, go to the "Security" tab in the respective Internet Site document for which the SSL key ring file was created and update the "Key file name" field. 3. Ensure that your server's SSL port status is set to "Enabled" in the Server document under "Ports -> Internet Ports -> Web". 4. Restart the HTTP task by issuing the command "tell http restart" on the Domino server console. 5. To test, access the Web site with the new SSL certificate using a Web browser. If you are using Internet Explorer, you can double-click the padlock on the lower-right corner to display the SSL certificate information.