How to import a wildcard SSL certificate (PFX/P12) into IBM Domino

Sometimes, it is quite complicated to import a wildcard SSL certificate into an IBM Domino keyring file. This happened to me with certificates from StartCom.

Since the Domino Server Certificate Administration database does not create CSR requests with newer hash algorithms required by some CAs, I was forced to created the key pairs thru the StartSSL.com website. But there is no way in Domino to directly import the signed PFX/P12 certificate into the Domino keyring file.

Thanks to several sources in the internet (mainly Gabriella Davis at http://blog.turtleweb.com), I modified the procedure to make it easier. Here is what I did:

Convert the PFX/P12 private certificate

  • Import the PFX/P12 private certificate into Internet Explorer.
  • Use the Internet Options to export the certificate (PFX) with the private key, the parent CAs and with low security.

Create a new keyring file

  • Download and unzip the IBM Key-Management tool.
    => ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip.
  • Start the gsk5ikm.exe (located in gsk5-ikeyman\gsk5\bin).
  • Create a new keyring file (type .kyr), no expiration.
  • Select “Personal Certificate” and import the PKCS12 file created in step 1.2.
  • Exit the IBM Key-Management tool.

Set the Domino keyring password (Stash-File)

  • Open any Domino Server Certificate Administration database or create a new database from template certsrv.ntf.
  • Open view “View and Edit Key Rings”.
  • Use action “Change Key Ring Password”. The old and the new passwords can be the equal.

Activate the Domino keyring file

  • Copy the keyring files .kyr and .sth to the Domino data directory.
  • Configure the Domino server to use the keyfile for the Internet sites.

I hope this helps someone.