How to create SSL certificates for Lotus Domino

Since the creation of SSL certificates is not something you are usually doing on a day-to-day basis it is worth putting some documentation out especially because there are some tiny little traps worth being written down because they might not be remembered any more in a two years time.

The creation of the key ring and the certificate request is done in the Server Certificate Admin database (certsrv.nsf), located in the root of the data directory of the Domino server.

After opening the database you are presented with four main options.

  1. Create Key ring – to create the key ring file
  2. Create Certificate Request – to create an unsigned certificate to be submitted to the Certification Authority (CA) for signing
  3. Install Trusted Root Certificate into Key Ring – to add the root certificates of the Certification Authority to the key ring file
  4. Install Certificate Into Key Ring – to add the signed certificate into the key ring file

To create a new key ring file, select the first option. The creation of the key file requires the information shown below. Please note that the Key Ring File Name is relative to the local workstation’s data directory and not to the directory of the Domino Server.

Create key ring file

The creation of the key ring involves the generation of an unsigned public/private key pair already. The next step is to create a certificate request to the Certification Authority. The request can either be submitted via email or on-line on the CA’s web site.

Submit Certification Request

Once the CA certificate is getting issued via email or on the certifiers web page it can be merged into the key ring file. The Server Certificate Admin database already includes a set of intermediate keys for the main Certification Authorities. If however the CA of your choice is not included or the certificate has already been expired, it is recommended to import the certifiers Trusted Root Certificate into the key ring file first.

Option four allows the installation of the signed certificate into the key ring file either copying and pasting it from the web site or email or inserting the certificate as certificate file.

Insert Signed Certificate

Every access to the key ring file requires the ring file password. So make sure to have this handy while working on the process.

Once the key ring file has been prepared following the three to four steps above and all the certificates got included it is time to move it to the Lotus Domino server. Make sure to copy the keyfile.kyr as well as the corresponding keyfile.sth file to the data directory of the Domino server. The .sth file is the stash file for the keyfile’s password, which is required for the Domino HTTP task to open the key ring file. If the server is unable to access the stash file it will raise the error message

HTTP Server: SSL Error: Keyring File access error, key ring file [keyfile.kyr], [Server]

Finally the name of the key ring files must be entered into the server’s configuration document or rather the Internet site configuration, depending on the configuration of the Domino server. Make sure that SSL is enabled in the port configuration. Otherwise SSL connections cannot be made to the server.

After changing the key ring file name in the server configuration the HTTP task requires to be reloaded. A restart of the whole Domino service is not necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *