IBM Support

How to renew an SSL certificate stamped by a third-party Certificate Authority

Technote (FAQ)


Question

The SSL certificate in your Lotus Domino server's key ring is close to expiration. You used a third-party Certificate Authority (CA) to stamp the SSL certificate. Can you use the existing key ring to renew the SSL certificate?

Answer

When you use a third-party Certificate Authority (CA) for an SSL certificate, the key ring containing the SSL certificate can be used to generate a new certificate request. Follow the steps below:
1. Back up the SSL KeyPair (*.KYR and *.STH) in the server's data directory.

2. Copy the KeyPair to the Notes data directory of a local workstation.

3. Using Notes client, open the Server Certificate Administration database. If none is available, create a new one using the Server Certificate Administration template (CSRV50.NTF).

Note: Error: 'Invalid or nonexistent document' will occur when using the Administrator Client instead of Notes Client when working with the Server Certificate Admin database

4. Select the link "View and Edit Key Rings" on the Navigation Pane.

5. Select the button "Select Key Ring to Display" and enter the local path to .KYR file.

6. Enter the password for the key ring (stored in the .STH file, also copied to the Notes data directory). The KeyPair document listed below has the SSL Certificate information:



7. Next, select "Create Key Rings & Certificates" link on navigation pane.

8. Select Step 2: "Create Certificate Request".

9. Confirm that the Key Ring File Name Field is pointing to the local .KYR file.

10. Click the "Create Certificate Request" button.

11. Copy the certificate request, including the BEGIN and END lines to send to the Certificate Authority.



12. Wait for the CA to return the stamped certificate, then merge it into the key ring.

13. Select Step 4: "Install Certificate into Key Ring".

14. Paste in the stamped certificate.

15. Click on "Merge Certificate into Key Ring" button.



16. A warning will display stating that the certificate already exists. Click OK to proceed with the installation of the new stamped certificate.

17. Copy the local KeyPair (.KYR and .STH files) and paste them into the server's data directory.

18. Restart the HTTP service.

      > restart task http

19. Next, access a Web site with the new SSL certificate using a Web browser.

20. Using Microsoft Internet Explorer, double-click the padlock on the lower-right corner to display the SSL certificate information and confirm the new expiration date.

Additional information:
SHA-2 on Domino is currently not available and has been reported in SPR# ABAI7SASE6 as an enhancement request to include Support SHA-2 algorithm for SSL on Domino for a future release.
Domino 9.0x introduced support for the IBM HTTP Server for Windows that supports TLS in order to provide a solution for customers who required to use SHA-2 for https secure connections.

Related information

Error: 'Invalid or nonexistent document' when using Ser
A simplified Chinese translation is available

Document information

More support for: IBM Domino
Security

Software version: 8.0, 8.5

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1210804

Modified date: 26 May 2010