Lotus Domino SSL using an external certificate authority

In this expert tip, you'll get the step-by-step process on how to configure SSL in your Lotus Notes/Domino environment with a separate certificate authority.

This tip is will help you configure SSL in your Lotus Notes/Domino environment with a separate certificate authority (CA) like Verisign or Thawte -- helping to enhance security. While the help files from Lotus provide some information, I found them to actually make the process a more complex than it needs to be. This step-by-step guide is the end product of my own personal research of Lotus help files, Verisign's website and other related...

website.

Whether or not you intend to be a self-signing authority -- or use an external authority -- the process I'll be outlining requires you to use the Lotus Domino Server Certificate Admin database.

  1. To begin, check to see if your Lotus Domino server has a database created by the StdNotes50SSLAdmin template. The template title is Server Certificate Admin and generally the file will be named certsrv.nsf.

    If this database exists -- not the template, but a .nsf database from the template -- then step one of the process is complete. If not, create a new database on the server using the above mentioned template. When creating the new database, make certain to select the correct template. In order to view it in the options, check the box labeled Show advanced templates (Figure 1).

  2.  

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 1. To view your template, check off Show advanced templates.

     

  3. When the database opens, you'll see a screen with four different steps. Select the first option, Create Key Ring (Figure 2).

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 2. The first step is to create a key ring

    This key ring is necessary to create a required Certificate Signing Request (CSR) from a third-party company like Verisign. Clicking on Create Key Ring brings you to the next step (Figure 3.).

  4. Check out recent server changes with your Reliability and Performance Monitor
    Figure 3. Fill in all of your Key Ring Information.

     

  5. The next step is to complete the key ring information. Bear in mind that all the items in Figure 3 are mocked up for instructional use only, your environment will be different. The Key Ring file name usually defaults to keyfile.kyr. Keeping the .kyr extension is highly recommended.

    Verisign prefers a 1024 key. But in my opinion, why would you use anything less if a 1024 is available for your location?

    In the Distinguished Name box, the more details you supply, the better. The Organizational Unit is likely the only section most of you won't complete, but be sure to fill in as necessary. Once completed, click Create Key Ring and the .kyr and .sth files will be created to the same path -- which will display when complete.

    Note: The .kyr file is the actual Key Ring file. The .sth file is a stash file that holds password information. Make certain that both of these files are kept well protected. The stash file is protected, but not encrypted, and would only stop a casual observer from using the information.

  6.  

  7. Now that your .kyr and .sth files exist, you need to make a request of the authority you'd like to use. To do so, click on Create Certificate Request on the main screen in the Server Certificate Admin database (Figure 4).
  8.  

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 4. The next step is to create a certificate request.

     

  9. The path in the first field is the same one that the .kyr file created earlier. If using Verisign you must use the Paste into form on CA's site option. If you choose the email option, you'll be provided with fields to enter the necessary information. Otherwise, click the Create Certificate Request button to generate the appropriate request information (Figure 5).

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 5. Choose the appropriate options for your Notes/Domino environment.

  10.  

  11. Now enter the password for the .kyr file you referenced in the first field of the CSR. This will bring you to a screen similar to the one in Figure 6. Only the upper fields will be populated with your site information that you entered above.

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 6. Your certificate request has been created.

    Place your cursor in the lower field, highlight the information and copy it to your clipboard. Be sure to also include the Begin and End Certificate lines. Next, go to the CA site and follow the instructions there for submitting a request for a new certificate.

  12.  

  13. Merging CA provided certificates into your certificate

    Your request from your CA should have yielded a Server Certificate from the CA. The next step is to merge the CA's trusted root certificate into the Key Ring file that we created previously. In order to do so, check your CA's website for the certificate you need -- it's usually available as a file attachment or for you to copy to the clipboard).

    Note: If using Verisign, their Intermediate Certificate Authority root is required as part of the SSL certificate installation.

    Once you have the necessary root certificate from your CA, go back to the Server Certificate Admin application and select Install Trusted Root Certificate into Key Ring (Figure 7).

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 7.You will now install a trusted root certificate into your key ring.

     

  14. Clicking on Install Trusted Root Certificate into Key Ring will yield the following screen (Figure 8):

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 8. Merge your trusted root certificate into your key ring.

    The first field is a path to the Key Ring file you created earlier. The Certificate Label is a label that's used for easier identification in this application. If you leave it blank, it should place the distinguished name of your certificate in by default.

    The Certificate Source depends on how your CA provides the Trusted Root Certificate that you're trying to merge. Once you have these items completed, click on Merge Trusted Root Certificate into Key Ring to complete the process. You'll be prompted for your Key Ring files password.

  15.  

  16. This is the final step for readying an SSL certificate for use in Domino. In this step, we merge the actual server certificate provided by your CA into the Key Ring file created earlier. Make certain you can access the Key Ring file and follow the instructions provided by your CA to retrieve the new Server Certificate.

    Some CA's send the certificate as an attachment in an email, others send a link so that you can download an attachment or just copy it to the clipboard. When you have the certificate, go back to the Server Certificate Admin application and click the fourth option, Install Certificate Into Key Ring (Figure 9).

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 9. You can now install the certificate into your key ring.

    The form you'll see is similar to the one you previously used to add the Trusted Root Certificate (Figure 10).

    Check out recent server changes with your Reliability and Performance Monitor
    Figure 10. To finish, we will merge the certificate into your key ring.

    The first field should map to the Key Ring file that we created in the beginning of the process. The Certificate Source depends on your CA. Whatever the case, pick the correct source and either paste in the certificate from the clipboard or attach the provided file. Finally, click the Merge Certificate into Key Ring button.

    When this is complete, the Key Ring file and .sth file are ready to move to the server and be used for SSL security on that Domino server.

ABOUT THE AUTHOR:   
 
Michael Kinder
Michael "Mike" Kinder is a senior application developer and administrator with over 13+ years experience in the Lotus Notes/Domino environment, including work with BlackBerry, Barracuda, Sametime and integration with other systems. He is currently building a Managed Services/Business Development Center in Northern Maine. He is available for consulting opportunities in both development and administration. He can be reached at michael.kinder@vmsus.com.
 


This was first published in April 2010

Dig deeper on Lotus Domino Server 8

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.UK

Close