Setting up TLS on a server-based CA server

Because server administrators and clients use browsers to access the CA server to request and pick up certificates, use TLS to protect the CA server. When you set up the CA server for TLS, you create the server key ring file and request a server certificate. Domino® automatically approves the server certificate and merges the CA certificate as a trusted root.

About this task

For information on approving server certificate requests for Domino® servers that are not CA servers, see the related topic Signing server certificates.

Note: There are cases when you might want to use the Domino® 5 certificate authority, for example, if you want to set up Domino® for TLS using a third party certificate. For more information, look in the related topics for the technote Setting up a Domino® 5 certificate authority.

To set up TLS on a server-based CA server


  1. Create an Internet certifier.
  2. Create the Certificate Requests application (CERTREQ.NSF).
  3. Do the following to create a server key ring file to store the server certificate, and merge the CA certificate as a trusted root into the server key ring file:
    1. In the Certificate Requests database, choose Domino Key Ring Management > Create Key Ring.
    2. In the Create Key Ring form, complete these fields:
    3. Verify the information in the Key Ring Created dialog box, then click OK to add your CA as a trusted root and generate a certificate request for the server.
    4. Verify the information in the Merge Trusted Root Certificate Confirmation dialog box and click OK.
    5. When the Certificate received into key ring and designated as trusted root confirmation dialog box appears, click OK.
    6. When the Certificate Request Successfully Submitted for Key Ring dialog box appears, click OK.

    If you chose Automatic as the processing method used by the Certificate Requests database, continue with Step 5. If you chose Manual, then complete Steps 4 through 6.

  4. Do the following to transfer the certificate request to the Administration Requests database:
    1. In the Certificate Requests database, open the Submitted/Waiting for Approval view. If the request does not appear, press F9 to refresh the view.
    2. If the request status is Submitted to Administration Process, continue with Step 5. If the request is still Pending, highlight the request and click Submit Selected Requests.
    3. When you see Successfully submitted 1 request(s) to the Administration Process, click OK.
  5. Have an authorized registration authority approve the request. This RA should be authorized for the certifier for which you are setting up TLS.
    1. Open the Administration Requests database (Admin4.nsf), and then open the Certification Authority Requests/Certificate Requests view and find the new request.
    2. Open the request and verify the information in it.
    3. Click Edit Request, then Approve Request. Press F9 until the request changes to Issued.
  6. Transfer the certificate request out of the Administration Requests database:
    1. Close the Administration Requests database and return to the Certificate Requests database.
    2. Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the view.
    3. If the certificate has not yet been issued, click Pull Selected Request(s).
  7. After the CA signs the request for a server certificate and notifies you to pick up the certificate, do the following:
    1. Do one:
      • Open the Administrator's mail file, locate and open a message with the subject Your certificate request has been approved, and copy the pickup ID to the Clipboard.
      • From the Certificate Requests database, open the Submitted/Accepted view, then open the issued server request and copy the Request ID to the clipboard.
    2. In the Certificate Requests database, choose Domino Key Ring Management, then Pickup Key Ring Certificate.
    3. Enter the key ring file name and password, paste the pickup ID into the form, and click Pickup Certificate.
  8. Do the following to merge the approved server certificate into the key ring file:
    1. When the Merge Signed Certificate Confirmation dialog box appears, verify the information and click OK.
    2. When the Certificate received into key ring confirmation appears, click OK.
    3. Copy or use FTP (in binary mode) to transfer the new key ring file and its associated .sth file to the server's data directory.
  9. Configure the port for TLS:
    1. In the Domino® Directory, open the Server document. In the Ports/Internet Ports section, click Edit Server and enter the name of the new key ring file. (Do not include the full path to the key ring file. Specify only the file name.) Enable the TLS Port Status field and then click Save and Close.
      Note: As an optional step, while editing the Server document, enable Session authentication in the Internet Protocols/Domino Web Engine section. This ensures that HTTP sessions will time out in the number of minutes that are specified in the Idle session timeout field. The Maximum active sessions may also be specified.
    2. If HTTP is already running, at the console type te http restart to enable TLS on the server.
    3. To show TLS status and to verify that the HTTP server is listening on both 80 and 443, type te http show security at the server console.
  10. Do the following to confirm that TLS is working on the server.
    1. Open a browser, and enter the URL of the server -- for example:
    2. If the New Site Certificate dialog box appears, click Next.
    3. Click More Info to verify the information, then click Next.
    4. Decide whether or not to accept the new site certificate, and for how long, then click Next.
    5. Decide whether or not you want to see a warning every time you access the new site, then click Next. When the dialog box appears, click Finish.


If the Security indicator (a padlock icon) is closed (locked), you have successfully established a secure session over TLS.