- Running the Lotus Notes administrator (using the Admin's ID file),
choose the correct domain and server, then open the Configuration tab.
- Choose Tools/Registration/Internet Certifier,
select I want to register a new internet certifier that uses the
CA process and then click OK.
- When the Register New Internet Certifier dialog box appears,
click Create Certifier Name and enter a Common Name
(such as Acme CA). All other fields are optional,
but useful to complete, such as an Organization Name (for example: Acme),
a State or Province, and a two-character Country Code. Click OK
once the required field and any optional fields are filled in.
- Choose which server to put the CA on.
- You can use the default ICL database name or modify it, for example:
- Choose one of the following options for the Encrypt
Certifier ID with settings:
- Encrypt ID with Server ID: lowest security,
no password required.
- Encrypt ID with Server ID and Require password
to activate certifier.
- Encrypt ID with Locking ID and choose the
person whose ID will be used to secure the new CA.
- You can select an additional person to be a CA and/or RA, but
that is optional. Defaults may be used for the rest of the settings.
- Click OK and you should receive a "Success..."
- From the server console, type lo ca (if the
task is not already running).
- If the CA task is already running, type
te ca refresh.
- To ensure that the new CA is ready for use,
type te adminp p a.
Note If your new CA does not show up in the list when
you use the te ca stat command, try using te
adminp p a, then enter the te ca refresh command
again. After that, enter te ca stat to verify
that the new CA has been properly initialized.
Troubleshooting Tip If you decided to use a password
and your CA is not active, use the following command to activate it:
te ca activate <#> password
You can obtain the actual value for <#> by using te
ca stat (each CA will be listed with a number before it; that
number is how you identify a specific CA when using a tell
command). Do not use the brackets (<>) in your actual command, just
the number of the CA you want to activate and the password under which
you protected it.
- Click File > Database > New, then select
- Fill in a Title and File Name, for example: Certificate
Requests and certreq.nsf.
Note Each Internet Certifier requires a unique Certificate
Requests database. If you expect to create additional Internet CAs
in the future, you might want to give the Certificate Requests database
an appropriate title for its associated CA, for example Cert
Req Acme, and a file name such as CR_acme.nsf
(it is advisable to keep the file name somewhat short so that typing it
as part of a URL won't be annoying).
- Specify the template server as your server, not "local".
Be sure to select Show Advanced Templates or you won't
see the one you need in the list. The template name is Certificate
Requests (6) and the file name is certreq.ntf.
- After the database has been created, press Esc
to close the "About..." document, then the Database Configuration
form should automatically appear.
- Select your server (usually the Administration Server, but it
should be the one running the CA Process for the Supported CA), the CA
you created in the previous steps ("Certifier"), and then choose
the intended purpose(s) of this CA: Server Certificates Only
or Both Client and Server Certificates.
Note "Client Certificates Only" should not
be chosen if you want to create a Server Key Ring for SSL.
- Customize the Server (and Client) settings if you wish, then
select a Processing Method (Automatic means less user intervention). You
may choose an Automatic Transfer Server (optional),
then choose whether or not you wish to have the confirmations mailed to
the applicant and click Save & Close.
Note If the Automatic method is chosen, the person who
has been designated as an RA (often the same person who creates the Certificate
Requests database - certreq.nsf) must appear in the list of people who
can Run unrestricted methods and operations in the Administration
server's Server document. To verify this or to make the necessary change,
open the Domino Directory, open the Server/Servers view,
and then open the appropriate server document and go to the Security section
(upper right side of the section). Failure to do this will result
in the inability of the agents in your certreq.nsf to run.
- Choose Domino Key Ring Management then Create
- Perform the following steps:
- Enter a file name for the Key Ring file,
leaving the .kyr extension.
- Enter a password (twice).
- Select a Key Size.
- Enter your server's Common Name (use the
fully qualified host name, for example: server.company.com), Organization
name, then State (or Province) and Country. The latter two fields
- Click Create Key Ring.
- When the Key Ring Created dialog box appears, verify the information,
then click OK to automatically add your CA as a trusted
root and to generate a certificate request (for your server).
Note You can postpone this step and choose Certify
Key Ring later.
- After clicking OK, a Merge Trusted Root Certificate
Confirmation dialog box should appear. Verify the information and
- You should see a Certificate received into key ring and designated
as trusted root confirmation screen; click OK. Another
message should appear: "Certificate Request Successfully Submitted
for Key Ring". Click OK to dismiss the message.
- The Certificate Requests database should still be open. Go
to the Pending/Submitted Requests view and press F9
to refresh the view if your request does not appear to be there.
- If the request already indicates that it
has been "Submitted to Administration Process", proceed to the
- If it is still in the Pending
Submission state, select the request and click Submit
Selected Requests. You should see a "Successfully
submitted 1 request(s) to the Administration Process" message. Click
OK, then leave the Certificate Requests database open
because you will be returning to it soon.
- Open the Administration Requests database (Admin4.nsf), open
the Certification Authority Requests/Certificate Requests view and find
your new request.
- Double-click the request to open it, click Edit Request
and verify the information in it.
- You may leave the default settings for all
fields, if you wish.
- Once you have verified the information and/or
finished making any optional changes, click Approve Request.
- Press F9 until the request
goes from the New state to the Issued
state (you may also notice an interim Approved state,
before it reaches the Issued" state).
- Close the Administration Requests database and return to the
Certificate Requests database and then proceed as follows:
- Open the Pending/Submitted Requests view
and locate your request.
- You may need to press F9
to refresh the view. If you press F9 and the certificate
request disappears from the view, you will probably find it in the Issued/Rejected
Certificates view; this indicates that it has already been issued. If
the request does not appear in the Issued/Rejected view, click Pull
- You may be prompted to Cross Certify. If this happens,
please leave the default settings and click Cross Certify.
- Next, you may choose to do one of the following:
- Open the administrator's mail file to locate
and then open a memo entitled Your certificate request has been
approved and copy the pickup ID to your Clipboard.
- From the Certificate Requests database,
open the Issued/Rejected Certificates view, open the issued server request
and then copy the Request ID to your Clipboard. Press
Esc to close the Certificate Pickup document.
- While still in the Certificate Requests database, choose Domino
Key Ring Management then select Pickup Key Ring Certificate.
- Enter the key ring file name used in step 17, enter the key ring
password, paste the pickup ID into the form (from the "clipboard")
and click Pickup Certificate.
- When a Merge Signed Certificate Confirmation
dialog box appears, verify the information and click OK.
A Certificate received into key ring confirmation
box should appear. Click OK.
- Copy the new Key Ring file and its associated .sth
file to your server's data directory.
- Open the Domino Directory and find your server's Server document
in the Server/Servers view and then proceed as follows:
- Open the Server document, click Edit
- Open the Ports/Internet Ports section and
then enter the name of your new Key Ring file.
Note Do NOT include the full path to the key ring file,
only the file name.
- Scroll down the page until you locate the
SSL Port Status field and change it from Disabled to
- Optional: While editing the Server document,
go to the Internet Protocols/Domino Web Engine section and enable Session
authentication. Your choices will be:
Server (recommended for most purposes)
(click the words Session authentication to see more
detailed information about all of the options). Enabling session authentication
ensures that HTTP sessions will time out in the number
of minutes specified in the Idle session timeout field. The Maximum
active sessions may also be specified.
- Click Save & Close.
- If HTTP is already running, enter te http restart
to enable SSL on the server.
- Enter sh ta from the server console to verify
that the HTTP server is now listening on ports 80
- To confirm that SSL is working on your server, open a browser
and fill in a URL similar to this:
- If using Netscape, a New Site
Certificate screen should appear.
- Click Next.
- When the next
screen appears, click More Info to verify the information
(optional), then click Next.
- Decide whether
or not to accept the new site certificate and for how long and then click
- Decide whether
or not you wish to see a warning every time you access your new site, then
click Next. When the last screen appears, click
Finish. A Security Information
dialog box may appear. If it does, decide whether or not you wish
to have Netscape Show This Alert Next Time (which it
will do every time you access the site, until you deselect the check box),
then click Continue.
Note If the Security indicator (a little padlock near
the top of the Netscape window) is closed (locked), you have successfully
established a secure session over SSL.
- If using Microsoft Internet Explorer, you
will probably see the "Security Alert" screen:
- Choose View
Certificate, then click Install Certificate.
- When the Certificate
Import Wizard screen appears, click Next.
- When the Certificate
Store screen appears, you may use the default selection: Automatically
select the certificate store based on the type of certificate,
then click Next.
- When the Completing the Certificate Import Wizard
screen appears, click Finish. A small message
box with this message should appear: "The import was successful".
- Exit from the dialog box still displaying the Install Certificate
button by clicking OK, and you should see the Security
Alert message box again. Click Yes to proceed.
- The Certificate Requests database should open and you should
see a little closed padlock near the lower right corner of the screen.
This should indicate that you have successfully established a secure
session over SSL.