You have followed all of the steps from the Lotus Domino SSL wiki, link at the end of this wiki page, and have created a Domino keyring file, submitted a CSR to your chosen Certificate Authority. Now you just received your new certificate and attempt to install it into the keyfile, but then an error pops up to say that the trusted roots necessary to install do not exist in the keyfile.
You have a few options to resolve this.
1. Go back to the certificate issuer and ask what roots are included in the certificate and from where you may download them.
2. Go to the Certificate Authority's site and browse through all existing certificates trying to find the right one.
3. Follow the steps of this article to identify and extract the exact root certificates you need.
In brief, you can save the certficate as a .cer file and view all of the root certificates, export them and merge them into your keyfile. Then the new SSL server certificate will install successfully into your Domino SSL keyfile.
A. Save the certificate as a . cer file.
You may have already received the SSL server certificate as a .cer file if so skip to the next step.
If you received the SSL server certificate as a text file, or you copied from the Certificate Authority's web site, you will save that file as a .cer . Open a text editor and copy the content of the certificate into a new text document. Include everything from the first dash to the last, no extra spaces or carriage returns.
Be sure to save it as file type *.* so that the .cer will be the extension.
B. Open and extract the trusted roots from the certificate file.
Locate the file on your machine and open it. In Windows double click the file and it will open.
When opened, select the Certification Path tab. Most certificates will display a chain of trust from the root certificate to the server. In this example there is only one root certificate to export, although more often there will be two or more which enhance the security of the certificate. Domino certificates may display only the server and not the entire chain of trust.
Work through the certificates, selecting the root first, then intermediate roots, from the top down. Select the root certificate and click “View Certificate”. A new dialog box will appear. Click the Details tab and click Copy to File to copy the contents of the root, in this example the VerSign Trial Secure Server CA - G2 certificate.
The export wizard will popup and guide you through the steps.
Click Next, and choose whether you need the certificate as a digital or base64 format. The base64 format is more flexible as you can add the certificate as a .cer file or the base64 contents later.
The dialog will allow you to save it any where; it is suggested that you save it to the data directory of your Notes client so that you may reference it easily later if needed. Complete the wizard prompts.
Next, open the Server Certificate Admin database and select step 3 to add the trusted root to your keyring file.
Make sure that the dialog refers to the correct keyfile. In Certificate Label field add the name of the trusted root. You can get this name from the .cer file which contains the SSL certificate and the root you used earlier to bring the process.
Enter the into the Certificate Label field the name of the root certificate as it appears in the .cer file.
In this example you will open the root certificate .cer file with a text editor and copy the entire contents, from the first dash to the last, making sure that there are no extraneous spaces or carriage returns leading or trailing the dashes.
Copy this into the “Certificate from Clipboard” field and click Merge Trusted Root Certificate into Keyring.
You should be presented with a confirmation dialog showing the root information. In this example we show an intermediate certificate and had one more root which was merged earlier. This is why on the right you will see Trial Secure Server Root as the issuer. Otherwise this dialogue would display the same information for both the Certificate Subject and Certificate Issuer.
If it all works you will see the confirmation that the root has be merged.The character display, if not clearly discernible, as below, is an anomaly, but does not affect the success of the process.
To confirm that the root has been merged you can close then reopen the Server Certificate Admin database and view the key ring. There you will see the root you merged listed with the others already in the key ring.
Now you are ready to go back to the SSL wiki and complete the installation of the SSL server certificate in to your key ring file.