Ask a Question

Advanced Search

Alert ID : INFO1992

Last Modified : 04/26/2019

Certificate Signing Request (CSR) Generation Instructions for Lotus Domino 6.x and 7.x


This document was created to assist with the generation of a Certificate Signing Request (CSR) for Lotus Domino 6.x and 7.x. If this document can not be used within the environment, RapidSSL recommends contacting an organization that supports Lotus Domino 6.x and 7.x.

NOTE: As of 1/1/2016 all public SSL certificates must be issued as SHA-256 with at least a 2048-bit key size.  Please ensure that the server can support these standards before requesting a certificate.

Before requesting a certificate, a key ring must be created. A key ring file is a binary file that is password-protected and stored on the server's hard drive. When creating a server key ring file (.KYR), Domino generates an unsigned server certificate and automatically includes several trusted root certificates.  Domino also creates a stash file (.STH) using the same name as the key ring file, but with the file extension .STH. Domino uses the stash file to store the key ring file password for unattended access to the server key ring file. 

 Step 1: Creating a server key ring file

  1. From the Notes client open the Server Certificate Admin application on the server.
  2. Click Create Key Ring
  3. Complete the following fields:

    Key Ring File Name: Enter a name for the key ring file.
    Key Ring Password: Enter a password for the key ring.
    Key Size: The key size must be at lease 2048 bits
    Country Name (C): Use the two-letter ISO code without punctuation for country, for example: US
    State or Province (S): Enter the state or province where the organization is headquartered.  Do not abbreviate, for example: California
    Locality or City (L): The Locality field is the city or town name, for example: Mountain View
    Organization (O): Enter the organization name as it is registered.  Avoid special characters.  For example:  Symantec Corporation
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.  For example, Technical Support
    Common Name (CN): The Common Name is the host + domain. For example, or * for a wildcard.
  4. Click Continue
  5. Click Create Key Ring
  6. Review the information about the key ring file and distinguished name, click OK
  7. Lotus Notes creates the key ring file and stash (.STH) file and places them in the Lotus Notes data directory on the client machine used to create the key ring.
  8. Copy the key ring file and stash (.STH) file to the Domino data directory on the server.
  9. Verify your CSR

Step 2: Requesting a SSL certificate

  1. From the Notes client, open the Domino Directory of the server on which you want to create SSL
  2. Open the Server Certificate Admin application.
  3. Click Create Certificate Request
  4. Complete these fields:

    Key Ring File Name: The name of the server key ring file including the path to the file
    Log Certificate Request: Choose one: Yes (default) to log information in the Server Certificate Admin application or No to not log information.
    Method: Select the method that allows the CSR text to be pasted into a Certificate Authority enrollment form.
  5. Click Create Certificate Request
  6. Enter the password for the server key ring file
  7. Copy the certificate request to the system Clipboard including the header and footer lines.
  8. Proceed with Enrolment on RapidSSL website and submit the CSR request when required in the enrolment form.

Once the certificate has been issued, refer to this link for installation instructions.

For additional information, reference to IBM Lotus Domino server documentation (Click Security - SSL security - Setting up SSL).