Lotus Domino Administrator 8 Help - Requesting an SSL server certificate

SECURITY

Requesting an SSL server certificate
When you request an SSL server certificate, you use Public-Key Cryptography Standards (PKCS) format, an industry-standard format that many CAs, including IBM® Lotus® Domino™, understand. Before you request a certificate from a third-party CA, make sure the CA uses the PKCS format, not some other format, such as Privacy-Enhanced Mail (PEM). If you are unsure of the format required by a third-party CA, check with that CA.

A certificate request is essentially certificate data that has not been signed by a CA. The CA turns the request into a certificate by signing it.

If you are requesting a server certificate from a server-based certification authority, you can use the IBM® Lotus® Notes® client to create the server key ring and the server certificate in the Certificate Requests database. You must be able to access the Domino server using the Lotus Notes client.

To request a server certificate using a Lotus Notes client

1. From the Lotus Notes client, open the Certificate Requests database for the certifier from which you want to request a server certificate.

2. Do the following to create a server key ring file to store the server certificate and merge the CA certificate as a trusted root into the server key ring file:

In the Certificate Requests database, choose Domino Keyring Management - Create Keyring.

In the Create Key Ring form, complete these fields:

Field	Action
File name	Enter a file name for the Key Ring file and keep the .kyr.
Password	Enter a password for the key ring file.
Key size	Choose a key size.
Common name	Enter the fully qualified host name -- for example, server.company.com.
Organization name	Enter the name of the certifier organization.
State or province	Enter the full name of the state or province in which the organization is located.
Country	Enter a two-letter abbreviation for the country in which the organization is located.

Verify the information in the "Key Ring Created" dialog box, then click OK to automatically add the CA as a trusted root and generate a certificate request for the server.
Verify the information in the "Merge Trusted Root Certificate Confirmation" dialog box and click OK.
Click OK when the "Certificate received into key ring and designated as trusted root" confirmation dialog box appears.
Click OK when the "Certificate Request Successfully Submitted for Key Ring" dialog box appears.

After an RA approves the request for a server certificate, the CA issues a server certificate and sends notification that you can pick up the certificate.

3. In the Issued/Rejected Certificates view, open the issued server request and copy the Request ID to the Clipboard.

4. Choose Domino Key Ring Management - Pickup Key Ring Certificate.

5. Enter the key ring file name and password, paste the pickup ID into the form and click Pickup Certificate.

6. Verify the information in the "Merge Signed Certificate Confirmation" dialog box and click OK.

7. When the "Certificate received into key ring" dialog box appears, click OK.

8. Copy or use FTP (in binary mode) to transfer the new key ring and its associated .STH file to the server's data directory.

From a Domino CA using a Web browser

This procedure for generating a server certificate request is the same regardless of whether you are requesting a server certificate from a Domino server-based certification authority or a Domino 5 certificate authority.

1. Make sure you already created the server key ring file and mapped a drive to the directory that contains the server key ring file.

2. From the Lotus Notes client, open the Domino Directory of the server on which you want to create SSL, and open the Server Certificate Admin application.

3. Click "Create Certificate Request."

4. Complete these fields:

Field Enter

Key Ring File Name The name of the server key ring file, including the path to the file

Log Certificate Request Choose one:

Yes (default) to log information in the Server Certificate Admin application
No to not log information

Method Choose Paste into form on CA's site

5. Click Create Certificate Request.

6. Enter the password for the server key ring file.

7. Copy the certificate request to the system Clipboard (include the Begin Certificate and End Certificate lines), and click OK.

8. On the server, use one of these methods to browse to the Domino certificate authority application (the Certificate Requests application for a server-based certification authority, and the Domino Certificate Authority for a Domino 5 Certificate Authority) on the Domino server's Web site:

If you use Microsoft® Internet Explorer, use SSL (HTTPS) to connect to the application. You need to trust server certificate in order to use SSL to access the server. To install (and trust) the server certificate, in the IE security alert dialog box click "View Certificate" - "Install Certificate," and follow the instructions. To trust all site certificates certified by a given CA, click "Accept this authority in your browser" before accessing the server with SSL. This option is available in both the Certificate Requests and Domino Certificate Authority applications.

9. Click "Request Server Certificate."

10. Enter your name, e-mail address, phone number, and any comments for the CA.

11. Paste the certificate request into the dialog box, and then click "Submit Certificate Request."

12. Merge the CA certificate as a trusted root.

From a third-party CA

1. Make sure you already created the server key ring file.

2. From the Lotus Notes client, open the Server Certificate Admin application on server for which you want to set up SSL.

3. Click "Create Certificate Request."

4. Complete these fields:

Field Enter

Key Ring File Name The name of the server key ring file including the path to the file

Log Certificate Request Choose one:

Yes (default) to log information in the Server Certificate Admin application
No to not log information

Method Choose one:

Paste into form on CA's site (recommended)
Send to CA by e-mail
Note You must choose the paste option to submit a request to VeriSign, which doesn't use PKCS format for requests sent by e-mail. If you choose "Send to CA by e-mail," enter the CA's e-mail address, and your e-mail address, phone number, and location.

5. Click "Create Certificate Request."

6. Enter the password for the server key ring file.

7. If you selected "Paste into form on CA's site" in Step 4, do the following:

Copy the certificate request to the system Clipboard (include the Begin Certificate and End Certificate lines).
Use a browser to visit the CA's site, and then follow the instructions that the CA's site provides for submitting a request for a new certificate.

8. Merge the CA certificate as a trusted root.

See also

Viewing requests for certificates

Setting up SSL on a Domino server

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Enter
Key Ring File Name	The name of the server key ring file, including the path to the file
Log Certificate Request	Choose one: Yes (default) to log information in the Server Certificate Admin application No to not log information
Method	Choose Paste into form on CA's site