How do I install an SSL certificate onto Lotus Domino 8.0 and lower?

Problem

How do I install an SSL certificate onto Lotus Domino 8.1 and lower?

Important Note

Due to requirements of the industry, it is no longer possible to apply for a an intermediate certificate of small key sizes.  The QuoVadis Issuing CA 2 certificate has also expired and has not been renewed.  If you are using Lotus Domino 8.1 or below, you are strongly advised to upgrade or you may not be eligible to obtain a publicly trusted certificate from a Certificate Authority.

This KB article will be kept intact for informational purposes.

Retired Resolution

With older versions of IBM Lotus Domino, your SSL certificate may have to be installed under our QuoVadis Root Certification Authority. This is due to a key size issue known by IBM with our QuoVadis Root CA 2 certificate. The SSL certificate will install correctly, however you can only apply for a business 1 year SSL. EV SSL is also not available.

Part I - Installing the Root Certificate

  1. First you must open the Domino Server Certificate Administration (certsrv.nsf).  You can do this by clicking on System Databases in the administration panel.  Once there, choose the option, open Domino Server Certificate Administration.

  2. Select the option, Install Trusted Root Certificate into Key Ring.

  3. In the Install Trusted Root Certificate window, you will need to enter in the name of the key ring file that was created during the CSR generation process on on this server.

  4. In the Certificate Source field, select option, Clipboard. In the Clipboard field, paste in the QuoVadis Root Certification Authority Certificate into the appropriate text entry field. The text for this certificate can be obtained from http://www.quovadisglobal.com/en-GB/QVRepository/DownloadRootsAndCRL/QuoVadisRootCA-PEM.aspx.

  5. Next, click on the Merge Trusted Root Certificate into Key Ring button.

  6. In the Install Trusted Root Certificate window, you will need to enter in the name of the same key ring file entered in Part I.

  7. The QuoVadis Root Certification Authority should now be installed into the key ring.

Part II - Installing the Intermediate Certificate

    Select the option again to Install Trusted Root Certificate into Key Ring.

  1. In the Install Trusted Root Certificate window, you will need to enter in the name of the key ring file that was created during the CSR generation process on on this server.

  2. In the Certificate Source field, select option, Clipboard. In the Clipboard field in the window, paste in the QuoVadis Issuing CA 2 Certificate into the appropriate text entry field. The text for this certificate can be obtained from http://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisIssuingCA2-PEM.aspx.

  3. Next, click on the Merge Trusted Root Certificate into Key Ring button.

  4. The QuoVadis Issuing CA 2 should now be installed into the key ring along with the QuoVadis Root Certification Authority.

Part III - Installing the Certificate

    Part III requires your certificate to input into PEM format and opened in a text editing application. Windows Notepad is recommended to open the certificate to display the contents. If the characters in the certificate are not recognizable by the English alphabet, then your certificate may be in DER format and you will need to convert it to PEM format before you can continue.

  1. Go back in the Domino Server Certificate Administration that you opened in Part I.

  2. Select the Install Certificate into Key Ring option.

  3. In the Install Certificate into Key Ring window, you will need to enter in the name of the same key ring file entered in Part I and Part II.

  4. In the Certificate Source field, select option, Clipboard. In the Clipboard field in the window, paste in the certificate you received from QuoVadis into the field. This should be copied from the certificate file you have opened in the text editing application.

  5. Click the Merge Certificate into Key Ring button.

  6. Your SSL certificate should be installed properly.

Part IV - How to Enable the Certificate

  1. Edit the current server document in the Domino Administrator.

  2. Select the Port tab.

  3. Enter int he entire path name of the key ring file of the new certificate in the SSL Key File field.
  4. Example: c:\lotus\domain\keyfile_name.kyr.

  5. SSL Port Status field in the Web HTTP/HTTPS section.

  6. Finally, restart the Domino Web server.

Add Feedback