Contents | Next
- Running the Lotus Notes
administrator (using the Admin's ID file), choose the correct domain and
server, then open the Configuration tab.
- Choose Tools/Registration/Internet
Certifier, select I want to register a new internet
certifier that uses the CA process and then click OK.
- When the Register New
Internet Certifier dialog box appears, click Create Certifier
Name and enter a Common Name (such as Acme CA).
All other fields are optional, but useful to complete, such as an
Organization Name (for example: Acme), a State or Province,
and a two-character Country Code. Click OK once
the required field and any optional fields are filled in.
- Choose which server
to put the CA on.
- You can use the default
ICL database name or modify it, for example: icl\icl_Acme.nsf.
- Choose one of the following
options for the Encrypt Certifier ID with settings:
ID with Server ID: lowest security, no password required.
ID with Server ID and Require password to activate certifier.
ID with Locking ID and choose the person whose ID will be used to secure
the new CA.
- You can select an additional
person to be a CA and/or RA, but that is optional. Defaults may be
used for the rest of the settings.
- Click OK
and you should receive a "Success..." message.
- From the server console,
type lo ca (if the task is not already running).
the CA task is already running, type te ca refresh.
ensure that the new CA is ready for use, type te adminp p a.
Note If your new
CA does not show up in the list when you use the te ca stat
command, try using te adminp p a, then enter the te
ca refresh command again. After that, enter te
ca stat to verify that the new CA has been properly initialized.
If you decided to use a password and your CA is not active, use the following
command to activate it:
te ca activate <#>
You can obtain the actual value
for <#> by using te ca stat (each CA will be listed
with a number before it; that number is how you identify a specific CA
when using a tell command). Do not use the brackets
(<>) in your actual command, just the number of the CA you want to
activate and the password under which you protected it.
- Click File
> Database > New, then select your server.
- Fill in a Title and
File Name, for example: Certificate Requests and certreq.nsf.
Note Each Internet
Certifier requires a unique Certificate Requests database. If you
expect to create additional Internet CAs in the future, you might want
to give the Certificate Requests database an appropriate title for its
associated CA, for example Cert Req Acme, and a file
name such as CR_acme.nsf (it is advisable to keep
the file name somewhat short so that typing it as part of a URL won't be
- Specify the template
server as your server, not "local". Be sure to select Show
Advanced Templates or you won't see the one you need in the list.
The template name is Certificate Requests (6) and the
file name is certreq.ntf. Click OK.
- After the database has
been created, press Esc to close the "About..."
document, then the Database Configuration form should automatically appear.
- Select your server (usually
the Administration Server, but it should be the one running the CA Process
for the Supported CA), the CA you created in the previous steps ("Certifier"),
and then choose the intended purpose(s) of this CA: Server Certificates
Only or Both Client and Server Certificates.
Certificates Only" should not be chosen if you want to create a Server
Key Ring for SSL.
- Customize the Server
(and Client) settings if you wish, then select a Processing Method (Automatic
means less user intervention). You may choose an Automatic Transfer
Server (optional), then choose whether or not you wish to have
the confirmations mailed to the applicant and click Save &
Note If the Automatic
method is chosen, the person who has been designated as an RA (often the
same person who creates the Certificate Requests database - certreq.nsf)
must appear in the list of people who can Run unrestricted methods
and operations in the Administration server's Server document.
To verify this or to make the necessary change, open the Domino Directory,
open the Server/Servers view, and then open the appropriate
server document and go to the Security section (upper right side of the
section). Failure to do this will result in the inability of the
agents in your certreq.nsf to run.
- Choose Domino
Key Ring Management then Create Key Ring.
- Perform the following
a file name for the Key Ring file, leaving the .kyr
a password (twice).
a Key Size.
your server's Common Name (use the fully qualified host name, for example:
server.company.com), Organization name, then State (or Province)
and Country. The latter two fields are optional.
Create Key Ring.
- When the Key Ring Created
dialog box appears, verify the information, then click OK
to automatically add your CA as a trusted root and to generate a certificate
request (for your server).
Note You can postpone
this step and choose Certify Key Ring later.
- After clicking OK,
a Merge Trusted Root Certificate Confirmation dialog box should appear.
Verify the information and click OK.
- You should see a Certificate
received into key ring and designated as trusted root confirmation screen;
click OK. Another message should appear: "Certificate
Request Successfully Submitted for Key Ring". Click OK
to dismiss the message.
- The Certificate Requests
database should still be open. Go to the Pending/Submitted Requests
view and press F9 to refresh the view if your request
does not appear to be there.
the request already indicates that it has been "Submitted to Administration
Process", proceed to the next step.
it is still in the Pending Submission state, select
the request and click Submit Selected Requests. You
should see a "Successfully submitted 1 request(s) to the Administration
Process" message. Click OK, then leave the
Certificate Requests database open because you will be returning to it
- Open the Administration
Requests database (Admin4.nsf), open the Certification Authority Requests/Certificate
Requests view and find your new request.
- Double-click the request
to open it, click Edit Request and verify the information
may leave the default settings for all fields, if you wish.
you have verified the information and/or finished making any optional changes,
click Approve Request.
F9 until the request goes from the New
state to the Issued state (you may also notice an
interim Approved state, before it reaches the Issued"
- Close the Administration
Requests database and return to the Certificate Requests database and then
proceed as follows:
the Pending/Submitted Requests view and locate your request.
may need to press F9 to refresh the view. If you
press F9 and the certificate request disappears from
the view, you will probably find it in the Issued/Rejected Certificates
view; this indicates that it has already been issued. If the request
does not appear in the Issued/Rejected view, click Pull Selected
- You may be prompted
to Cross Certify. If this happens, please leave the default settings
and click Cross Certify.
- Next, you may
choose to do one of the following:
the administrator's mail file to locate and then open a memo entitled Your
certificate request has been approved and copy the pickup
ID to your Clipboard.
the Certificate Requests database, open the Issued/Rejected Certificates
view, open the issued server request and then copy the Request
ID to your Clipboard. Press Esc to close
the Certificate Pickup document.
- While still in the Certificate
Requests database, choose Domino Key Ring Management
then select Pickup Key Ring Certificate.
the key ring file name used in step 17, enter the key ring password, paste
the pickup ID into the form (from the "clipboard") and click
- When a Merge
Signed Certificate Confirmation dialog box appears, verify the
information and click OK. A Certificate received
into key ring confirmation box should appear. Click OK.
- Copy the new Key Ring
file and its associated .sth file to your server's
- Open the Domino Directory
and find your server's Server document in the Server/Servers view and then
proceed as follows:
the Server document, click Edit Server
the Ports/Internet Ports section and then enter the name of your new Key
Note Do NOT include
the full path to the key ring file, only the file name.
down the page until you locate the SSL Port Status field and change it
from Disabled to Enabled.
While editing the Server document, go to the Internet Protocols/Domino
Web Engine section and enable Session authentication.
Your choices will be:
- Single Server (recommended
for most purposes)
- Multiple Server (SSO)
- Disabled (click the words
Session authentication to see more detailed information
about all of the options). Enabling session authentication ensures that
HTTP sessions will time out in the number of minutes
specified in the Idle session timeout field. The Maximum active sessions
may also be specified.
Save & Close.
- If HTTP is already running,
enter te http restart to enable SSL on the server.
- Enter sh ta
from the server console to verify that the HTTP server is now listening
on ports 80 and 443.
- To confirm that SSL
is working on your server, open a browser and fill in a URL similar to
using Netscape, a New Site Certificate screen should
- Click Next.
- When the next screen appears, click More
Info to verify the information (optional), then click Next.
- Decide whether or not to accept the new site
certificate and for how long and then click Next.
- Decide whether or not you wish to see a warning
every time you access your new site, then click Next.
When the last screen appears, click Finish. A
Security Information dialog box may appear. If
it does, decide whether or not you wish to have Netscape Show
This Alert Next Time (which it will do every time you access
the site, until you deselect the check box), then click Continue.
Note If the Security
indicator (a little padlock near the top of the Netscape window) is closed
(locked), you have successfully established a secure session over SSL.
using Microsoft Internet Explorer, you will probably see the "Security
- Choose View Certificate,
then click Install Certificate.
- When the Certificate Import Wizard
screen appears, click Next.
- When the Certificate Store
screen appears, you may use the default selection: Automatically
select the certificate store based on the type of certificate,
then click Next.
- When the Completing
the Certificate Import Wizard screen appears, click Finish.
A small message box with this message should appear: "The
import was successful".
- Exit from the dialog
box still displaying the Install Certificate button by clicking OK,
and you should see the Security Alert message box again. Click Yes
- The Certificate Requests
database should open and you should see a little closed padlock near the
lower right corner of the screen. This should indicate that you have
successfully established a secure session over SSL.
Contents | Next