Requesting and importing a key and certificates from a third-party CA

Beginning with HCL Domino® 12, the process for configuring internet certificates from third-party certificate authorities (CAs) on a Domino server is made simpler.

Before you begin

Complete the procedure Running CertMgr.

About this task

Options in the Certificate Store database (certstore.nsf) make it easy to generate the key and certificate signing request and then to import the certificates received from your CA. In releases prior to Domino 12, you are required to use the kyrtool command-line tool and often the openssl command-line tool to complete these steps.

The outgoing and incoming certificate format is PEM (Base64 encoded DER).


  1. Open the Certificate Store database (certstore.nsf).
  2. From the TLS Credentials view, click Add TLS Credentials.
  3. In the Host names field, enter the host name of the internet-facing server for which you are requesting a certificate. If a single IP address is mapped to more than one Web host through Internet Sites, specify the Subject Alternative Name (SAN) name for each Web host. You can add up to 30 SANs for one certificate.
  4. In the Servers with access field, select the Domino servers with which to encrypt the private key of the TLS credentials so that they can read the private key and use the certificates.
  5. In the Certificate Provider field, select Manual.
  6. If you want to add one or more trusted root certificates, select the Security/Keys tab of the TLS Credentials document. In the Trusted Roots field, select the trusted root certificate you added previously to certstore.nsf. For more information, see Adding trusted root certificates.
  7. The Global Settings document provides default values for the remaining fields, which you can optionally modify. For more information, see Configuring Global Settings
  8. Click Submit Request to generate the TLS key pair and CSR.
  9. When the value of the Status field changes to Waiting, copy the content of the Certificate signing request (CSR) field and submit to the CA.
  10. When you receive the certificates from the CA, click the Manual tab in the TLS Credentials document and paste the certificates into the Certificates & Roots (PEM) field. Certificates in a chain can be specified in any order.
  11. Click Submit Request again to complete the process.
  12. Look at the Status field in the TLS Credentials document to see if the request is successful and if not, why.