Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino Web server > Extract the root certificate from a signed stamped SSL server certificate
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

How can I uninstall just the Sametime embedded client from my Notes client?
When I need to uninstall your Sametime embedded client in your Notes client, do I need to uninstall Notes and start over?

Capture HTTP transactions on user browsers with Fiddler2 or Live HTTP Headers to help Domino HTTP server troubleshooting
You need to capture browser client side transactions with Domino's HTTP server. Quickly, easily setup Fiddler2 to log browser activity. Set up Live HTTP Headers for Firefox.

Extract the root certificate from a signed stamped SSL server certificate
You have a new server SSL certificate for your Domino key ring, but on installing the certificate you receive an error that the key ring file contains no trusted root for the certificate. How do you get the trusted roots needed?
Community articleExtract the root certificate from a signed stamped SSL server certificate
Added by ~Holly Desboosiskioopsi | Edited by ~Manny Elnumannivu on March 24, 2013 | Version 7
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
You have a new server SSL certificate for your Domino key ring, but on installing the certificate you receive an error that the key ring file contains no trusted root for the certificate. How do you get the trusted roots needed?
Tags: certificate, certificate authorities, certificate authority, certificates, keyring, ssl

You have followed all of the steps from the Lotus Domino SSL wiki, link at the end of this wiki page, and have created a Domino keyring file, submitted a CSR to your chosen Certificate Authority. Now you just received your new certificate and attempt to install it into the keyfile, but then an error pops up to say that the trusted roots necessary to install do not exist in the keyfile.





You have a few options to resolve this.
1. Go back to the certificate issuer and ask what roots are included in the certificate and from where you may download them.

2. Go to the Certificate Authority's site and browse through all existing certificates trying to find the right one.

3. Follow the steps of this article to identify and extract the exact root certificates you need.

In brief, you can save the certficate as a .cer file and view all of the root certificates, export them and merge them into your keyfile. Then the new SSL server certificate will install successfully into your Domino SSL keyfile.


A. Save the certificate as a . cer file.

You may have already received the SSL server certificate as a .cer file if so skip to the next step.


If you received the SSL server certificate as a text file, or you copied from the Certificate Authority's web site, you will save that file as a .cer . Open a text editor and copy the content of the certificate into a new text document. Include everything from the first dash to the last, no extra spaces or carriage returns.





Be sure to save it as file type *.* so that the .cer will be the extension.







B. Open and extract the trusted roots from the certificate file.

Locate the file on your machine and open it. In Windows double click the file and it will open.




When opened, select the Certification Path tab. Most certificates will display a chain of trust from the root certificate to the server. In this example there is only one root certificate to export, although more often there will be two or more which enhance the security of the certificate. Domino certificates may display only the server and not the entire chain of trust.

Work through the certificates, selecting the root first, then intermediate roots, from the top down. Select the root certificate and click “View Certificate”. A new dialog box will appear. Click the Details tab and click Copy to File to copy the contents of the root, in this example the VerSign Trial Secure Server CA - G2 certificate.




The export wizard will popup and guide you through the steps.




Click Next, and choose whether you need the certificate as a digital or base64 format. The base64 format is more flexible as you can add the certificate as a .cer file or the base64 contents later.









The dialog will allow you to save it any where; it is suggested that you save it to the data directory of your Notes client so that you may reference it easily later if needed. Complete the wizard prompts.





 
 


Next, open the Server Certificate Admin database and select step 3 to add the trusted root to your keyring file.





Make sure that the dialog refers to the correct keyfile. In Certificate Label field add the name of the trusted root. You can get this name from the .cer file which contains the SSL certificate and the root you used earlier to bring the process.





Enter the into the Certificate Label field the name of the root certificate as it appears in the .cer file.




In this example you will open the root certificate .cer file with a text editor and copy the entire contents, from the first dash to the last, making sure that there are no extraneous spaces or carriage returns leading or trailing the dashes.




Copy this into the “Certificate from Clipboard” field and click Merge Trusted Root Certificate into Keyring.






You should be presented with a confirmation dialog showing the root information. In this example we show an intermediate certificate and had one more root which was merged earlier. This is why on the right you will see Trial Secure Server Root as the issuer. Otherwise this dialogue would display the same information for both the Certificate Subject and Certificate Issuer.





If it all works you will see the confirmation that the root has be merged.The character display, if not clearly discernible, as below, is an anomaly, but does not affect the success of the process.





To confirm that the root has been merged you can close then reopen the Server Certificate Admin database and view the key ring. There you will see the root you merged listed with the others already in the key ring.






Now you are ready to go back to the SSL wiki and complete the installation of the SSL server certificate in to your key ring file.

http://www-10.lotus.com/ldd/dominowiki.nsf/page.xsp?documentId=AD4BB68FE8A3AF8A8525772100620642&action=openDocument&mode=original

 

 

 

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (7)Mar 24, 2013, 7:42:36 PM~Manny Elnumannivu  Minor change
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility