Requesting and importing a key and certificate from third-party CA

In HCL Domino® 12, the process for configuring internet certificates from third-party certificate authorities (CAs) on a Domino server has been made simpler.

Before you begin

Complete the procedure Running CertMgr.

About this task

Options in the Certificate Store database (certstore.nsf) make it easy to generate the keyring file and certificate signing request and then to import the certificates received from your CA. In prior releases, you were required to use the kyrtool command-line tool and often the openssl command-line tool to complete these steps.

The outgoing and incoming certificate format is PEM (Base64 encoded DER).


  1. Open the Certificate Store database (certstore.nsf).
  2. From the TLS Credentials view, click Add TLS Credential.
  3. In the Hostnames field, enter the host name of the internet-facing server for which you are requesting a certificate. If a single IP address is mapped to more than one Web host through Internet Sites, specify the Subject Alternative Name (SAN) name for each Web host. You can add up to 30 SANs for one certificate.
  4. In the Certificate Provider field, select Manual.
  5. In the Key Type field, accept the default value, ECDSA.
  6. In the Curve Name field, accept the default value, NIST P-384.
  7. In the Certificate Attributes section of the document, provide the Organization to be used for the certificate. Provide the additional attributes (Country, Locality, State or Province Name, Organizational Unit Name) as needed.
  8. Click Submit Request to generate the CSR and keyring file.
  9. When the value of the Status field changes to Waiting, copy the content of the Certificate Signing Request (CSR) field and submit to the CA.
  10. When you receive the certificates from the CA, paste them into the Certificates & Roots (PEM) field. Order the returned certificates as follows in the field:
    • At the top: Leaf (host TLS) certificate
    • In the middle: Intermediate certificates matching the chain, in order.
    • At the bottom: Root certificate
  11. Click Submit Request again to finalize and create or update the PEM data and kyr file.
  12. Look at the Status field in the KeyFile document to see if the request is successful and if not, why.