One of the good things about Lotus Notes/Domino is that it has a very good help system in NSF format. Lotus Notes/Domino has three basic help databases, for normal Lotus Notes users, for Lotus Notes programmers/designers and for Lotus Domino administrators. All the help databases are easy to read and understand.
But even the easiest documentation can become confusing sometimes. One of them is how to enable SSL in Lotus Domino servers.
I have to read it many times until I understand the concept, so to avoid others to have my difficulties; I created this simple how to.
SSL requires certificate, while Lotus Domino support the certificate that created by third party organizations, Lotus Domino also have the capabilities to create it own certificate called Self-Certified Certificate. The problem with Self-Certified Certificate that you need to accept the certificate (trust) before you can use it, while the third party certificate already trusted.
This how to will only to discuss about how to create Self-Certified Certificate, this how to will not discuss about the certificate that created by third party organizations. The idea of self-certified certificate is that you can quickly setup your own SSL certificate.
This how to required Lotus Notes client, access to Lotus Domino server as Lotus Domino administrator, and have access to copy files to Lotus Domino server.
Server Certificate Administration Database
When you install Lotus Domino in the first place, it will automatically created a database called Server Certificate Administration. You will need this database to create your own Self-Certified Certificate. Find and open the Server Certificate Administration or certsrv.nsf in the server, if not available you can create it with the template: csrv50.ntf, give the database name certsrv.nsf
There are several options in the left menu, just ignore it. We only want to create Self-Certified Certificate, click the “Click Key Ring with Self-Certified Certificate“.
Create Key Ring
Now, there are several fields that need to be filling in. There should be enough help in the Quick Help, but to make it easier, these are the examples:
Key Ring Information
Key Ring File Name
The file name of the key ring, the key ring should have kyr extension. If you have several servers that need SSL connection, better give it more understanding name. In this example I give my file name as selfcert-st01.kyr, where st01 is my server name.
Password and Password Verify
No need to explain about it. 🙂
The Full Qualified Domain Name (FQDN) of the server. In this example I put st01.indomino.net, because my server will be accessible with st01.indomino.net. Make sure that you can connect to your server with your FQDN.
Explain about your organization, or your company. I use indomino in the organization.
Organizational Unit (optional)
If you need to break your organization in more details, maybe based on departments or locations. I leave it blank; you can put your department or location.
City or Locality (optional)
Your city name, I put Jakarta
State or Province
Your Province, I put Jakarta
Because I live in Indonesia, I put ID
Make sure everything is correct than click the big button in the bottom of the page “Create Key Ring with Self-Certified Certificate“
It will create the key ring and it will notify you that the key ring has been created.
The process will create two file names in your notes data folder, selfcert-st01.kyr and selfcert-st01.sth. The files will be located in your local drive. You need to copy both file to the Lotus Domino server in the Lotus Domino Data directory.
Enable the SSL
Now the fun part, how to enable the Self-Certified Certificate with your Lotus Domino.
- Open your Lotus Domino directory, you have to have full access to it.
- Find and edit your current server document configuration (If you using internet sites you have to edit or add the internet sites documents)
- Go to Ports tab and find the SSL settings
- In the SSL key file name field, type your kyr file that you just created, I put selfcert-st01.kyr and just let other setting as default.
- Now you can enable SSL in any protocols, in this how to I will enable it in HTTP protocol.
- Go to Web tab, and find the SSL port status then change it into enable
- Click save and close
Now you can access your website with https, use your server FQDN to access your website.
if you access your website via internet explorer or firefox, there will be an error message telling you that the certificate is not trusted, just ignore it and click continue.
To prevent this annoying pop up, you need to accept the certificate in your certificate list.
This how to accept the certificate in MS Internet Explorer.
In the address bar, there will be a message telling that the site have certificate error.
Follow these steps to add your certificate as trusted certificate.
- Click it and click view certificate
- Click install certificate, don’t click automatically install, click browse instead.
- Select the trusted root certificate authority, and then click finish.
- There will be a big warning, just ignore it and click yes.
- Restart internet explorer, now you can access your website without certificate warning.
Now you have SSL enabled Lotus Domino server. You can use SSL not only in the HTTP, but also in Email and LDAP.
With HTTPS enabled, your users can change their own password from webmail.