Setting up SSL on a server-based CA server
Because server administrators and clients use browsers to access the CA server to request and pick up certificates, use SSL to protect the CA server. When you set up the CA server for SSL, you create the server key ring file and request a server certificate. Domino® automatically approves the server certificate and merges the CA certificate as a trusted root.
About this task
For information on approving server certificate requests for Domino® servers that are not CA servers, see the related topic Signing server certificates.
To set up SSL on a server-based CA server
Procedure
- Create an Internet certifier.
- Create the Certificate Requests application (CERTREQ.NSF).
- Do the following to create a server key ring file to store
the server certificate, and merge the CA certificate as a trusted
root into the server key ring file:
- In the Certificate Requests database, choose .
- In the Create Key Ring form, complete these fields:
- Verify the information in the Key Ring Created dialog box, then click OK to add your CA as a trusted root and generate a certificate request for the server.
- Verify the information in the Merge Trusted Root Certificate Confirmation dialog box and click OK.
- When the Certificate received into key ring and designated as trusted root confirmation dialog box appears, click OK.
- When the Certificate Request Successfully Submitted for Key Ring dialog box appears, click OK.
If you chose Automatic as the processing method used by the Certificate Requests database, continue with Step 5. If you chose Manual, then complete Steps 4 through 6.
- Do the following to transfer the certificate request to
the Administration Requests database:
- In the Certificate Requests database, open the Submitted/Waiting for Approval view. If the request does not appear, press F9 to refresh the view.
- If the request status is Submitted to Administration Process, continue with Step 5. If the request is still Pending, highlight the request and click Submit Selected Requests.
- When you see Successfully submitted 1 request(s) to the Administration Process, click OK.
- Have an authorized registration authority approve the request.
This RA should be authorized for the certifier for which you are setting
up SSL.
- Open the Administration Requests database (Admin4.nsf), and then open the Certification Authority Requests/Certificate Requests view and find the new request.
- Open the request and verify the information in it.
- Click Edit Request, then Approve Request. Press F9 until the request changes to Issued.
- Transfer the certificate request out of the Administration
Requests database:
- Close the Administration Requests database and return to the Certificate Requests database.
- Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the view.
- If the certificate has not yet been issued, click Pull Selected Request(s).
- After the CA signs the request for a server certificate
and notifies you to pick up the certificate, do the following:
- Do the following to merge the approved server certificate
into the key ring file:
- When the Merge Signed Certificate Confirmation dialog box appears, verify the information and click OK.
- When the Certificate received into key ring confirmation appears, click OK.
- Copy or use FTP (in binary mode) to transfer the new key ring file and its associated .sth file to the server's data directory.
- Configure the port for SSL:
- Do the following to confirm that SSL is working on the
server.
Results
If the Security indicator (a padlock icon) is closed (locked), you have successfully established a secure session over SSL.