This tip is will help you configure SSL in your Lotus Notes/Domino environment with a separate certificate authority (CA) like Verisign or Thawte -- helping to enhance security. While the help files from Lotus provide some information, I found them to actually make the process a more complex than it needs to be. This step-by-step guide is the end product of my own personal research of Lotus help files, Verisign's website and other related website.
Whether or not you intend to be a self-signing authority -- or use an external authority -- the process I'll be outlining requires you to use the Lotus Domino Server Certificate Admin database.
- To begin, check to see if your Lotus Domino server has a database created by the
StdNotes50SSLAdmin template. The template title is Server Certificate Admin and generally
the file will be named certsrv.nsf.
If this database exists -- not the template, but a .nsf database from the template -- then step one of the process is complete. If not, create a new database on the server using the above mentioned template. When creating the new database, make certain to select the correct template. In order to view it in the options, check the box labeled Show advanced templates (Figure 1).
- When the database opens, you'll see a screen with four different steps. Select the first
option, Create Key Ring (Figure 2).
This key ring is necessary to create a required Certificate Signing Request (CSR) from a third-party company like Verisign. Clicking on Create Key Ring brings you to the next step (Figure 3.).
- The next step is to complete the key ring information. Bear in mind that all the items in
Figure 3 are mocked up for instructional use only, your environment will be different. The Key Ring
file name usually defaults to keyfile.kyr. Keeping the .kyr extension is highly recommended.
Verisign prefers a 1024 key. But in my opinion, why would you use anything less if a 1024 is available for your location?
In the Distinguished Name box, the more details you supply, the better. The Organizational Unit is likely the only section most of you won't complete, but be sure to fill in as necessary. Once completed, click Create Key Ring and the .kyr and .sth files will be created to the same path -- which will display when complete.
Note: The .kyr file is the actual Key Ring file. The .sth file is a stash file that holds password information. Make certain that both of these files are kept well protected. The stash file is protected, but not encrypted, and would only stop a casual observer from using the information.
- Now that your .kyr and .sth files exist, you need to make a request of the authority you'd like to use. To do so, click on Create Certificate Request on the main screen in the Server Certificate Admin database (Figure 4).
- The path in the first field is the same one that the .kyr file created earlier. If using Verisign you must use the Paste into form on CA's site option. If you choose the email option, you'll be provided with fields to enter the necessary information. Otherwise, click the Create Certificate Request button to generate the appropriate request information (Figure 5).
- Now enter the password for the .kyr file you referenced in the first field of the CSR. This
will bring you to a screen similar to the one in Figure 6. Only the upper fields will be populated
with your site information that you entered above.
Place your cursor in the lower field, highlight the information and copy it to your clipboard. Be sure to also include the Begin and End Certificate lines. Next, go to the CA site and follow the instructions there for submitting a request for a new certificate.
- Merging CA provided certificates into your certificate
Your request from your CA should have yielded a Server Certificate from the CA. The next step is to merge the CA's trusted root certificate into the Key Ring file that we created previously. In order to do so, check your CA's website for the certificate you need -- it's usually available as a file attachment or for you to copy to the clipboard).
Note: If using Verisign, their Intermediate Certificate Authority root is required as part of the SSL certificate installation.
Once you have the necessary root certificate from your CA, go back to the Server Certificate Admin application and select Install Trusted Root Certificate into Key Ring (Figure 7).
- Clicking on Install Trusted Root Certificate into Key Ring will yield the following screen
The first field is a path to the Key Ring file you created earlier. The Certificate Label is a label that's used for easier identification in this application. If you leave it blank, it should place the distinguished name of your certificate in by default.
The Certificate Source depends on how your CA provides the Trusted Root Certificate that you're trying to merge. Once you have these items completed, click on Merge Trusted Root Certificate into Key Ring to complete the process. You'll be prompted for your Key Ring files password.
- This is the final step for readying an SSL certificate for use in Domino. In this step, we
merge the actual server certificate provided by your CA into the Key Ring file created earlier.
Make certain you can access the Key Ring file and follow the instructions provided by your CA to
retrieve the new Server Certificate.
Some CA's send the certificate as an attachment in an email, others send a link so that you can download an attachment or just copy it to the clipboard. When you have the certificate, go back to the Server Certificate Admin application and click the fourth option, Install Certificate Into Key Ring (Figure 9).
The form you'll see is similar to the one you previously used to add the Trusted Root Certificate (Figure 10).
The first field should map to the Key Ring file that we created in the beginning of the process. The Certificate Source depends on your CA. Whatever the case, pick the correct source and either paste in the certificate from the clipboard or attach the provided file. Finally, click the Merge Certificate into Key Ring button.
When this is complete, the Key Ring file and .sth file are ready to move to the server and be used for SSL security on that Domino server.
|ABOUT THE AUTHOR:|
Michael "Mike" Kinder is a senior application developer and administrator with over 13+ years experience in the Lotus Notes/Domino environment, including work with BlackBerry, Barracuda, Sametime and integration with other systems. He is currently building a Managed Services/Business Development Center in Northern Maine. He is available for consulting opportunities in both development and administration. He can be reached at firstname.lastname@example.org.
This was first published in April 2010