For information on approving server certificate requests for Lotus Domino servers that are not CA servers, see the topic Signing server certificates.

To set up SSL on a server-based CA server

1. Create an Internet certifier.

2. Create the Certificate Requests application (CERTREQ.NSF).

3. Do the following to create a server key ring file to store the server certificate, and merge the CA certificate as a trusted root into the server key ring file:

1. In the Certificate Requests database, choose Domino Key Ring Management - Create Key Ring.
2. In the Create Key Ring form, complete these fields:

   Field	Action
   File name	Enter a file name for the Key Ring file and keep the .kyr.
   Password	Enter a password for the key ring file.
   Key size	Choose a key size.
   Common name	Enter the fully qualified host name -- for example, server.company.com.
   Organization name	Enter the name of the certifier organization.
   State or province	Enter the full name of the state or province in which the organization is located.
   Country	Enter a two-letter abbreviation for the country in which the organization is located.

3. Verify the information in the "Key Ring Created" dialog box, then click OK to add your CA as a trusted root and generate a certificate request for the server.
4. Verify the information in the "Merge Trusted Root Certificate Confirmation" dialog box and click OK.
5. When the "Certificate received into key ring and designated as trusted root" confirmation dialog box appears, click OK.
6. When the "Certificate Request Successfully Submitted for Key Ring" dialog box appears, click OK.
If you chose Automatic as the processing method used by the Certificate Requests database, continue with Step 5. If you chose Manual, then complete Steps 4 through 6.

1. In the Certificate Requests database, open the Submitted/Waiting for Approval view. If the request does not appear, press F9 to refresh the view.
2. If the request has been "Submitted to Administration Process," continue with Step 5. If the request is still Pending, highlight the request and click "Submit Selected Requests."
3. When you see "Successfully submitted 1 request(s) to the Administration Process," click OK.

1. Open the Administration Requests database (Admin4.nsf), and then open the Certification Authority Requests/Certificate Requests view and find the new request.
2. Open the request and verify the information in it.
3. Click Edit Request, then Approve Request. Press F9 until the request changes to "Issued."

1. Close the Administration Requests database and return to the Certificate Requests database.
2. Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the view.
3. If the certificate has not yet been issued, click "Pull Selected Request(s)."

1. Do one:
• Open the Administrator's mail file, locate and open a message with the subject "Your certificate request has been approved," and copy the pickup ID to the Clipboard.
• From the Certificate Requests database, open the Submitted/Accepted view, then open the issued server request and copy the "Request ID" to the clipboard.
1. In the Certificate Requests database, choose "Domino Key Ring Management," then "Pickup Key Ring Certificate."
2. Enter the key ring file name and password, paste the pickup ID into the form, and click Pickup Certificate.

1. When the "Merge Signed Certificate Confirmation" dialog box appears, verify the information and click OK.
2. When the "Certificate received into key ring" confirmation box appears, click OK.
3. Copy or use FTP (in binary mode) to transfer the new key ring file and its associated .sth file to the server's data directory.

1. In the Lotus Domino Directory, open the Server document. In the Ports/Internet Ports section, click Edit Server and enter the name of the new key ring file. (Do not include the full path to the key ring file. Specify only the file name.) Enable the "SSL Port Status" field and then click Save and Close.
Note As an optional step, while editing the Server document, enable "Session authentication" in the Internet Protocols/Domino Web Engine section. This ensures that HTTP sessions will time out in the number of minutes that are specified in the "Idle session timeout" field. The Maximum active sessions may also be specified.
1. If HTTP is already running, at the console type "te http restart" to enable SSL on the server.
2. To show SSL status and to verify that the HTTP server is listening on both 80 and 443, type "te http show security" at the server console.

1. Open a browser, and enter the URL of the server -- for example:
https://Server.Company.com/certreq.nsf
1. If the "New Site Certificate" dialog box appears, click Next.
2. Click More Info to verify the information, then click Next.
3. Decide whether or not to accept the new site certificate, and for how long, then click Next.
4. Decide whether or not you want to see a warning every time you access the new site, then click Next. When the dialog box appears, click Finish.

See also

Setting up SSL on a Domino server
Setting up SSL on the CA server

Glossary