Importing and validating trusted roots using an ICAP connection

Domino requires a secure, trusted connection to the ICAP server for virus scanning. You must establish that you trust one or more of the ICAP server's root certificates before virus scanning can operate. Domino stores data about trusted roots in certstore.nsf. To simply the configuration process, the trusted root for the connection can be automatically imported from the ICAP server using an action in the cscancfg.nsf configuration document. This process involves both certstore.nsf and cscancfg.nsf.


  1. Ensure that certstore.nsf exists. If it does not, see the Using a credential store to store credentials section for instructions on creating a certstore.nsf appropriate to your environment.
  2. Select the Scan Config tab of your cscancfg.nsf configuration document and specify all the settings under Scan Configuration.
  3. Click the Import Trusted Root via CScan Connection action to invoke the import process on the server. A dialog similar to the one shown below will display. Click OK. The server on which you have opened cscancfg.nsf will initiate a TLS connection to the configured ICAP server and import its root certificates into certstore.nsf on that same server.
  4. Use the Open Certificate Store action to open cerstore.nsf on the same server on which you opened cscancfg.nsf, and open the Trusted Roots view.
    You see all available trusted roots.
  5. Restrict the list of trusted roots to those under the ICAP category, that is, roots that are trusted for ICAP use only.
  6. Now, validate the trusted root as follows:
    1. Expand the ICAP category. Any new trusted roots added by the preceding steps have been added under that category, in a pending state.
    2. Open the document for a root certificate that you want to examine. Verify that the Status is Pending Validation and the Certificate status is Valid.
    3. Verify the name and fingerprint of the new certificate.
    4. Use the action Mark trusted root validated to validate the trusted root.
    5. Save the trusted root document. The status of the certificate document will now be Issued to indicate it is a trusted root.
  7. Return to the cscancfg.nsf configuration document. The Trusted roots field should now be populated with all of the ICAP validated, trusted roots from certstore.nsf. If there is more than one trusted root listed, and you wish to restrict Domino to trusting only some of them, click on the twistie to bring up a "Select Keywords" dialog where you can select which trusted roots will be accepted for this configuration.