How to import a signed wildcard Certificate into Lotus Domino?

Lately I wanted to install a wildcard certifcate that I had ordered at
Thawte, which works perfectly fine for e.g. Apache, Postfix and cyrrus IMAP
into Lotus Domino 8.5. Turns out, this is not just a piece of cake.
Although there is an import function within the
“Server Certificate Admin”, it was giving me a hell to get it running,
so I considered to write this little Howto.

Even IBM Support suggested to create a new Certificate Request -
but Thawte would have charged us for that one and I did not like
the idea to pay twice for the same service…

Ok, let’s get going…

At first you need to create your keyring file by opening the
“Server Certificate Admin” Database (certsrv.nfs) within
the Lotus Notes Client (not the Administrator Client).
It creates (per default) a file called keyfile.kyr and -very important-
keyfile.sth (this is needed later on, when the SSL-services starts,
it reads out the scrambled passphrase for the keyring file from here).

You need to enter some basic information about your site, like the
location of the keyring file (on your clients file system), key size,
common name organisation etc… When you are finished hit the
“Create Key Ring” Button.

Now you need to install the Root Certificate from you CA (in my case Thawte)
as “Trusted Root Certificate” into the keyring (unless it’s already there),
because otherwise it would not let you import the actual Certificate.
As you can see, I used the Base64 encoded Cert and pasted it via the Clipboard.

Note: the Root Certificates for Thawte can be found here:
http://www.thawte.com/roots/

If you now look at “View & Edit Keyrings” you can see your freshly imported
Root Cert:

The keyring file is prepared now and ready to get the actual cert imported.

Now look for some computer with openssl installed (Linux just ships with it),
you need it to convert you cert into the .p12 format like:

openssl pkcs12 -export -out <new_key_pair_filename>.p12 -inkey
<private_key_filename>.key -in <certificate_filename>.crt

Of course we need the new_key_file.p12 (dont’ forget the export password,
you will need that later).

Next, you want to install IBM’s IKEYMAN tool on some machine.
It has certain OS requirements – I got it running  within a WinXP VM.
Copy your keyfile.kyr and new_key_file.p12 onto that machine.

Start IKEYMAN and open the keyfile.kyr. With “Personal Certificates”
selected, click on “Import” and choose your freshly created
new_key_file.p12 and save:

Copy your freshly updated keyring.kyr and keyring.sth (from the very
beginning) into the data directory of your Lotus Domino server.
Open the Server Configuration Document within the Lotus Administrator.
Go to “Ports”->”Internet Ports”-”SSL key file name”.
Enter the name of your freshly updated copied keyfile.kyr and you’re all set.

Good Luck.