How to enable SSL in Lotus Domino

One of the good things about Lotus Notes/Domino is that it has a very good help system in NSF format. Lotus Notes/Domino has three basic help databases, for normal Lotus Notes users, for Lotus Notes programmers/designers and for Lotus Domino administrators. All the help databases are easy to read and understand.

But even the easiest documentation can become confusing sometimes. One of them is how to enable SSL in Lotus Domino servers.

I have to read it many times until I understand the concept, so to avoid others to have my difficulties; I created this simple how to.

SSL requires certificate, while Lotus Domino support the certificate that created by third party organizations, Lotus Domino also have the capabilities to create it own certificate called Self-Certified Certificate. The problem with Self-Certified Certificate that you need to accept the certificate (trust) before you can use it, while the third party certificate already trusted.

This how to will only to discuss about how to create Self-Certified Certificate, this how to will not discuss about the certificate that created by third party organizations. The idea of self-certified certificate is that you can quickly setup your own SSL certificate.

This how to required Lotus Notes client, access to Lotus Domino server as Lotus Domino administrator, and have access to copy files to Lotus Domino server.

Server Certificate Administration Database

When you install Lotus Domino in the first place, it will automatically created a database called Server Certificate Administration. You will need this database to create your own Self-Certified Certificate. Find and open the Server Certificate Administration or certsrv.nsf in the server, if not available you can create it with the template: csrv50.ntf, give the database name certsrv.nsf

There are several options in the left menu, just ignore it. We only want to create Self-Certified Certificate, click the “Click Key Ring with Self-Certified Certificate“.

Create Key Ring

Now, there are several fields that need to be filling in. There should be enough help in the Quick Help, but to make it easier, these are the examples:

Key Ring Information

Key Ring File Name

The file name of the key ring, the key ring should have kyr extension. If you have several servers that need SSL connection, better give it more understanding name. In this example I give my file name as selfcert-st01.kyr, where st01 is my server name.

Password and Password Verify

No need to explain about it. 🙂

Distinguished Name

Common Name

The Full Qualified Domain Name (FQDN) of the server. In this example I put st01.indomino.net, because my server will be accessible with st01.indomino.net. Make sure that you can connect to your server with your FQDN.

Organization

Explain about your organization, or your company. I use indomino in the organization.

Organizational Unit (optional)

If you need to break your organization in more details, maybe based on departments or locations. I leave it blank; you can put your department or location.

City or Locality (optional)

Your city name, I put Jakarta

State or Province

Your Province, I put Jakarta

Country

Because I live in Indonesia, I put ID

Make sure everything is correct than click the big button in the bottom of the page “Create Key Ring with Self-Certified Certificate

It will create the key ring and it will notify you that the key ring has been created.

The process will create two file names in your notes data folder, selfcert-st01.kyr and selfcert-st01.sth. The files will be located in your local drive. You need to copy both file to the Lotus Domino server in the Lotus Domino Data directory.

Enable the SSL

Now the fun part, how to enable the Self-Certified Certificate with your Lotus Domino.

  1. Open your Lotus Domino directory, you have to have full access to it.
  2. Find and edit your current server document configuration (If you using internet sites you have to edit or add the internet sites documents)
  3. Go to Ports tab and find the SSL settings
  4. In the SSL key file name field,  type your kyr file that you just created, I put selfcert-st01.kyr and just let other setting as default.
  5. Now you can enable SSL in any protocols, in this how to I will enable it in HTTP protocol.
  6. Go to Web tab, and find the SSL port status then change it into enable
  7. Click save and close

Now you can access your website with https, use your server FQDN to access your website.

if you access your website via internet explorer or firefox, there will be an error message telling you that the certificate is not trusted, just ignore it and click continue.

To prevent this annoying pop up, you need to accept the certificate in your certificate list.

This how to accept the certificate in MS Internet Explorer.

In the address bar, there will be a message telling that the site have certificate error.

Follow these steps to add your certificate as trusted certificate.

  1. Click it and click view certificate
  2. Click install certificate, don’t click automatically install, click browse instead.
  3. Select the trusted root certificate authority, and then click finish.
  4. There will be a big warning, just ignore it and click yes.
  5. Restart internet explorer, now you can access your website without certificate warning.

Now you have SSL enabled Lotus Domino server. You can use SSL not only in the HTTP, but also in Email and LDAP.

With HTTPS enabled, your users can change their own password from webmail.

by

6 Comments


  1. // Reply

    Great article!
    Very useful for me
    Thanks a lot.


  2. // Reply

    Hi Budi, How do I extend the certification? is it valid for one year only?


  3. // Reply

    Well, I never though about it before. 🙂
    From Lotus Domino Administration Help database, you have to create a new one.

    Start quote
    After a certificate expires, you can no longer use it to communicate with servers and clients.
    If you obtained a server certificate from an IBM® Lotus® Domino™ certificate authority, request a new one.
    If you obtained a server certificate from a third-party certificate authority, you may be able to renew it by submitting a request to the third-party CA’s Web site, which often includes your user name, password, and a challenge phrase. If it is possible to renew your server certificate, this information is accepted and you will be prompted to renew. If you cannot renew your server certificate, you will have to submit a request for a new one.
    End quote


  4. // Reply

    After completing the settings above and starting http service, I get an error stating ‘Error binding http to port 443’. Changing the port did not resolve it. The port is free, no antivirus and no other application excwpt Lotus Domino and Traveller


  5. // Reply

    this mostly because something else is using the port, you can use netstat to check if something else is using the port.


  6. // Reply

    were can i find the current server document configuration.

    Step 2 by enable the SSL.

    Thankyou

Leave a Reply