SECURING


Requesting an SSL server certificate
When you request an SSL server certificate, you use Public-Key Cryptography Standards (PKCS) format, an industry-standard format that many CAs, including Domino®, understand. Before you request a certificate from a third-party CA, make sure the CA uses the PKCS format, not some other format, such as Privacy-Enhanced Mail (PEM). If you are unsure of the format required by a third-party CA, check with that CA.

About this task

A certificate request is essentially certificate data that has not been signed by a CA. The CA turns the request into a certificate by signing it.

If you are requesting a server certificate from a server-based certification authority, you can use the Notes® client to create the server key ring and the server certificate in the Certificate Requests database. You must be able to access the Domino server using the Notes client.

To request a server certificate using a Notes client

Procedure

1. From the Notes client, open the Certificate Requests database for the certifier from which you want to request a server certificate.

2. Do the following to create a server key ring file to store the server certificate and merge the CA certificate as a trusted root into the server key ring file:


3. In the Issued/Rejected Certificates view, open the issued server request and copy the Request ID to the Clipboard.

4. Choose Domino Key Ring Management -> Pickup Key Ring Certificate.

5. Enter the key ring file name and password, paste the pickup ID into the form and click Pickup Certificate.

6. Verify the information in the Merge Signed Certificate Confirmation dialog box and click OK.

7. When the Certificate received into key ring dialog box appears, click OK.

8. Copy or use FTP (in binary mode) to transfer the new key ring and its associated .STH file to the server's data directory.

From a Domino CA using a Web browser

About this task

This procedure for generating a server certificate request is the same regardless of whether you are requesting a server certificate from a Domino server-based certification authority or a Domino 5 certificate authority.

Procedure

1. Make sure you already created the server key ring file and mapped a drive to the directory that contains the server key ring file.

2. From the Notes client, open the Domino Directory of the server on which you want to create SSL, and open the Server Certificate Admin application.

3. Click Create Certificate Request.

4. Complete these fields:


5. Click Create Certificate Request.

6. Enter the password for the server key ring file.

7. Copy the certificate request to the system Clipboard (include the Begin Certificate and End Certificate lines), and click OK.

8. On the server, use one of these methods to browse to the Domino certificate authority application (the Certificate Requests application for a server-based certification authority, and the Domino Certificate Authority for a Domino 5 Certificate Authority) on the Domino server's Web site:

9. Click Request Server Certificate.

10. Enter your name, email address, phone number, and any comments for the CA.

11. Paste the certificate request into the dialog box, and then click Submit Certificate Request.

12. Merge the CA certificate as a trusted root.

From a third-party CA

Procedure

1. Make sure you already created the server key ring file.

2. From the Notes client, open the Server Certificate Admin application on server for which you want to set up SSL.

3. Click Create Certificate Request.

4. Complete these fields:


5. Click Create Certificate Request.

6. Enter the password for the server key ring file.

7. If you selected Paste into form on CA's site in Step 4, do the following:


8. Merge the CA certificate as a trusted root.

Related tasks
Creating a server key ring file
Merging a CA certificate as a trusted root
Viewing requests for certificates
Setting up SSL on a Domino server