How to Generate a Certificate Signing Request in Lotus Domino Go?

If you are hosting a website using Lotus® Domino Go, you will need an SSL/TLS certificate installed to secure traffic. The first step in the process will be to create the Certificate Signing Request from your IBM Lotus Domino Go web server.

A CSR is a block of encoded text that will contain domain name, organization information and the associated public key.

Whenever you request your SSL Certificate from a Certificate Authority (CA), e.g. DigiCert, Sectigo, GlobalSign, etc., the CA will use the CSR to issue your SSL Certificate.

Here, we will explain step-by-step how to create a CSR in the Lotus Domino Go web server using the MKKF utility.

Prerequisites

Lotus Domino Go Server Installed

• Before we proceed, please make sure that you have a fully installed and running Lotus Domino Go Web Server. The CSR generation process uses internal tools that come packaged with the server.
• In CSR generation, we will be predominantly using the MKKF tool that came with Domino Go. You will not have access to the key management functions that will allow you to create a CSR.
• Lastly, please make sure your server is installed with the latest supported version, this helps us avoid any compatibility issues. You should have a working server environment before generating, managing and lastly securely installing SSL certificates.

Administrative Rights

• To create a CSR, you must have total administrative rights to the Domino Go server.
• The way CSR is created is through the MKKF utility that is executed at the command line where, under ordinary user permissions, you would not have the ability to run it, and so cannot create a CSR.
• Administrative access would also enable you to create and manage the key ring file (.kyr) where your private key and certificates will be stored.

If you do not have administrative rights the process may result in errors while creating the key ring file or writing to system directories, so to avoid any issues make sure you log in with credentials that allow you the appropriate access rights to access server directories, use the utilities, and modify system files for the SSL configuration.

Organization Information In Place

A CSR contains distinguished name (DN) information which represents your organization. It is a good idea to get your organization details in order prior to proceeding, for example, the following information will be required:

• Common Name (CN): The fully qualified domain name (e.g., www.example.com)
• Organization (O): Your company’s legal registered name
• Organizational Unit (OU): Department or division (optional)
• Locality (L): City or town
• State (ST): State or province
• Country (C): Two-letter ISO code

With this information available, the CSR process will be much easier. Your Certificate Authority will check on this information when they issue your certificate and if you have made errors or your information is not consistent, this could lead to delays and/or rejection of your request for an SSL certificate.

Backup Directory Set

• When the CSR was being produced, Domino Go created a key ring file (.kyr) for keeping your private key.
• If you lose this file, you will make your CSR useless and have to go through the CSR generation process again. Be sure to prepare a secured backup directory ahead of time.
• When you create your key ring file, copy the .kyr file and place it in that location and keep it safe. If you can use encrypted storage, do so or maybe a secure folder on the server with limited access.
• The crucial factor about backups, is that if the Section Authority loses your private key associated with the CSR, they cannot give you a new one. The private key is unique to the server you are using.

Chosen Trusted Certificate Authority

• Before you generate your CSR, you will want to find a Certificate Authority (CA) that you will be purchasing your SSL certificate from. You may want to look at some common and trusted CAs; DigiCert, Sectigo, GlobalSign and Certera.
• Each CA has slightly different requirements for the information they need to issue your SSL certificate, but they all will accept the PKCS#10 formats provided by Domino Go.
• By choosing a CA ahead of time, you will immediately know where to send your CSR upon completion. This will eliminate a lot of lost time, because you can complete the order form as well as gather all required validation documents first.
• Having an industry trusted CA is also very important to help build credibility and offer assurance to your customers when you secure their communications with an SSL certificate

Step-by-Step: Generate a CSR in Lotus Domino Go

Launch the MKKF Utility

To generate a CSR in Lotus Domino Go, we must first start the MKKF utility (the built-in key management utility) that manages the creation of key rings, keys, and requests for certificates.

• To run the MKKF utility, launch a command prompt on your server and navigate to the directory where the Domino Go package was installed.
• You will need to type mkkf and press Enter. The MKKF utility will load and display a menu with several selections.
• This menu allows you to manage your SSL related tasks; let’s start by creating a new key ring for our certificate.

Create a New Key Ring File

• Now that you have invoked the MKKF utility, you must in fact create a new key ring file. This will be used to store your private key and certificate.
• From the menu, select option N (Make a new key ring). The utility will ask you for a filename for the key ring file, it will be  keyfile.kyr by default, you may specify another name as appropriate.
• The filename is important as it contains the cryptographic keys you need for the SSL business. Make a record of where you stored the file, as you will use the path to file when install your issued certificate.

Select Request Format

• Once your key has been created the next thing to do is to select a format for your certificate signing request. Lotus Domino Go has multiple formats to work with; however, the best and standard format followed by most Certificate Authorities is PKCS #10.
• From the MKKF menu, select P to indicate you would like your CSR generated in PKCS #10 format. Keeping this information in mind when you submit your requests to many providers like DigiCert, Sectigo or your SSL Provider is very important.
• Also, generating your request in PKCS #10 format makes sure your encoded request has all your organization’s attributes, your public key in a format accepted without problems by various CA’s. Therefore, there are no extra steps when you process the certificate signed by the CA.

Enter Distinguished Name Information

• Now we will be entering the distinguished name (DN) information. This makes up the identity of your certificate request. To add certificate request details select M from the MKKF menu.
• The fields you will need to fill in for the certificate request (in Certreq) are: the Common Name (domain name), Organization Name, Organizational Unit, City, State and Country.
• Be certain that you use the exact same domain name as the website you want to secure.
• It is extremely important that the information above is correct, and in the correct form for your organization, as the CAs will confirm these to validate.
• If you make a mistake at this part, it will slow down the process for issuing your certificate, so make sure you double check your entries.

Generate CSR

• Now that your organization details have been entered, we can create your CSR. From the MKKF menu, simply select R (Request) to create your CSR file.
• The utility is now going to create the private key (which will be stored safely in your key ring file) and the CSR file, which contains your encoded organization details, as well as your public key.
• The CSR is the only file you will provide to a Certificate Authority to have validated and keep in mind that the private key exists only on your server and shouldn’t be shared with anyone.
• The CSR file that you have now created can be used to propose an SSL certificate application.

Exit and Save

• After you have generated the CSR, you need to exit from the MKKF utility correctly to save the changes made. From the system’s default menu select X to exit.
• The program will then prompt you to save the changes made to your key ring file – MAKE SURE you select Yes!
• Now you have your .kyr file that securely contains your private key related to your CSR.
• At this moment, this would be an excellent time to create a back-up of your key ring file immediately and store it somewhere protected in case your key ring file ever becomes corrupted or accidentally deleted.

Submit CSR to CA

The last step is to submit your CSR to a Certificate Authority (CA) or SSL Provider that you have purchased from. Open your CSR file in a text editor, like notepad, select and copy the entire block of text you just created, including the lines that say:

—–BEGIN CERTIFICATE REQUEST—–
(encoded data)
—–END CERTIFICATE REQUEST—–

Afterwards, you will include this block into your CA order form while requesting an SSL Certificate.

• The CA will verify your organization and ownership of the domain name and issue you a certificate. 
• You will then be able to go back to the MKKF utility and import the issued certificate to your Lotus domino Go server.

Read Also: How to Install SSL Certificate in Lotus Domino?

Secure Your Server with CheapSSLweb

CheapSSLweb is a fast and cheap way to protect your site with an SSL certificate. They have some of the top brands including DigiCert, Sectigo, and Comodo, following the lowest prices without compromising trust and security.