Usually SSL certificates on Domino Servers need to be renewed yearly.
Before starting the renewal procedure , it is suggested to take backup of .kyr and .sth files by making a copy of those files.
Renewal of certificate includes following steps
- Copy the server's key ring and stash file in your local workstation's lotus notes data folder
- Create Certificate Request
- Install the received certificate
1. Copy the server's key ring and stash file
2. Create Certificate Request
a. From the Notes client, open the Server Certificate Admin application 'certsrv.nsf' on the server for which you want to renew SSL.
b. Click "Create Certificate Request." as shown in screen shot image below
c. Fill the details like CA's E-mail address ...
Following pop-up window will appear as shown screenshot image below when 'Create Certificate Request' button is clicked after filling the required details
Click OK
In View Certificate Request Log the request sent to the CA is logged.
3. Install Certificate into Key ring
When the requested certificate is received from the CA Administrator, it must be installed in the key ring .kyr file
a. From the Notes client, open the Server Certificate Admin application certsrv.nsf on the server for which you want to renew SSL.
b. Click "Install Certificate into Keyring." as shown in the screen shot image below
After clicking the button 'Merge Certificate into Key ring' to install and verify the information given on the next windows
WARNING popup appears Click OK button.
You need to get Trusted root certificates from the Verisign website
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html(Refer to Verisign Website for latest information/advise)
Further Info
How to renew an SSL certificate stamped by a third-party Certificate Authority
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21210804
Copy the servers's key ring file and stash file from the server's data directory to the data directory of the local administrator's client.
-If the Domino is running on 'Unix' host then 'winscp tool' is convenient GUI tool for getting the files from 'Unix' Host Server to Local PC.Use binary transfer method.
2. Create Certificate Request
a. From the Notes client, open the Server Certificate Admin application 'certsrv.nsf' on the server for which you want to renew SSL.
b. Click "Create Certificate Request." as shown in screen shot image below
Following pop-up window will appear as shown screenshot image below when 'Create Certificate Request' button is clicked after filling the required details
Click OK
When the requested certificate is received from the CA Administrator, it must be installed in the key ring .kyr file
a. From the Notes client, open the Server Certificate Admin application certsrv.nsf on the server for which you want to renew SSL.
b. Click "Install Certificate into Keyring." as shown in the screen shot image below
WARNING popup appears Click OK button.
Note If you get the error 'Unrecognized Certificate Authority signature' as shown in screen shot image below this indicates first you need to insall Trusted Root certificates into Keyring before "Install Certificate into Keyring."
You need to get Trusted root certificates from the Verisign website
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html(Refer to Verisign Website for latest information/advise)
Further Info
How to renew an SSL certificate stamped by a third-party Certificate Authority
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21210804
1 comment:
nice post. Keep it up. cloud computing training in chennai
Post a Comment