Importing and cross-certifying the IdP Internet certificate

When SSL is used between an IdP and Domino, import the IdP SSL certificate into the Domino directory and cross-certify it.


  1. Connect to the IdP using the Firefox browser.
  2. Click the certificates lock icon in the address bar and view the certificates.
  3. Click the Details tab and select the Certificates KeyUsage field.
  4. Verify that the Certificates KeyUsage field contains values for Certificate Signer and CRL Signer. In the following example, the values are missing:
    Certificate fields without Certificate Signer and CRL Signer
    1. If the Certificates KeyUsage field does not include these values, select the certificate one level up in the certificate hierarchy and confirm that you see the values.
  5. Export the selected certificate and save it as a Base 64 encoded X.509 Certificate (.cer) file. In ADFS, use the following steps:
    1. Select the Certificate Authority (issuer). It should show the Certificate Signer and CRL Signer values.
    2. Start the Certificate Export Wizard:
      1. Click Server Manager > Tools > Certification Authority.
      2. Select the certificate, right-click, and select Properties.
      3. On the General tab click View Certificate.
      4. On Details tab click Copy To File.
    3. Export the file as type Base-64 encoded X.509 (.CER).

      Base-64 encloded X.509 (.CER) shown as export file format.

      Example of page that shows when you complete the Certificate Export Wizard.
  6. Import the certificate into the Domino directory used by the ID vault and web servers and then cross-certify it:
    1. Open the directory in Domino Administrator.
    2. Select People & Groups > Certificates > .
    3. Select Actions > Import Internet certificate.
    4. Open the certificate in the Certificates view.
    5. Select Actions > Create cross certificate .
      Note: In the Issue Cross Certificate dialog box, click Certifier and switch to the root Domino domain certifier, for example /Renovations.
    6. Cross-certify the certificate with the root Domino domain certificate.
    7. The cross-certificate is added to the Certificates view under the category Not Categorized.