IBM Support

How to set up SSL using a third-party Certificate Authority (CA)

Technote (FAQ)


You have decided to use a third-party certificate authority such as Verisign, Entrust, or Thawte for SSL setup on a Domino server. What steps do you take to do so?


Previously, Domino servers used the Domino Server Certificate Admin database to manage keyrings and server certificates. However, this database does not allow for importing SHA-2 certificates. It is now recommended to only use SHA-2 certificates for SSL, due to security concerns
Because of this limitation with the Server Certificate Admin database, the documentation on using it in Domino Administrator Help and earlier revisions of this technote should not be used when an SSL certificate is required on a Domino server.

Please refer to the following documentation for creating keyrings and SSL certificates on a Domino server:

Generating a SHA-2 Keyring file
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool
Installing and Running the Domino keyring tool

Steps for configuring SSL
After updating a Domino keyring with an SSL server certificate, take the following steps to deploy and test the keyring.

1. Copy or FTP the local SSL key ring files (.kyr and .sth) from your Notes client data directory (or wherever your keyring files are located) into the Domino server's data directory.

2. Set the appropriate permissions on the SSL key ring files to ensure the Domino server can access the files. For Windows, the proper permissions are usually automatically set when copying/pasting the files to the server. For IBMi/OS400, the file owner should be set to QNOTES. For UNIX, set the file permissions to the same owning ID that owns all Domino server files.

3. Update the Server document to begin using the new SSL key ring file using the appropriate method for your web server configuration. (To tell if you are using Internet Site documents, open the server document to the Basics tab, and verify the value of the field "Load Internet configurations from Server\Internet Sites documents" If this is set to Enabled, you are using Internet Site documents, which are found in the Domino Directory under Configuration - Web - Internet Sites.)

a. If you are not using Internet Site documents, go to "Ports -> Internet Ports" in the Server document. Enter the SSL key ring file name in the "SSL key file name" field.

Screen capture of SSL settings in Server document:

b. If you are using Internet Site documents, go to the "Security" tab in the respective Internet Site document for which the SSL key ring file was created and update the "Key file name" field.

4. Ensure that your server's SSL port status is set to "Enabled" in the Server document under "Ports -> Internet Ports -> Web".

5. Restart the HTTP task by issuing the command "tell http restart" on the Domino server console. If other tasks need to use the keyring, restart those tasks.

6. To test, access the Web site with the new SSL certificate using a Web browser. If you are using Internet Explorer, you can double-click the padlock on the lower-right corner to display the SSL certificate information.

Related information

A simplified Chinese translation is available

Document information

More support for: IBM Domino
Web Server

Software version: 6.0, 6.5, 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1268695

Modified date: 24 May 2016

Translate this page: