IBM Lotus Domino can use an SSL key to provide encrypted network access. To get SSL working you have to use the database cetsrv.nsf, create a certificate request (CSR), paste that into your PKI-providers form who will return a signed certificate. Once you merge that signed certificate into your servers keyring you are ready to go.
The problem I see is that the CSR created by Version 8.5.1 is based on the MD5 algorithm and most PKIs started to refuse MD5 in CSRs in favor of SHA-1 or newer algorithms. I see the problem that everyone who runs a SSL site on Domino will not be able to renew the certificate!

The Lotus Knowledgebase lists a problem that the signed certificate could not be merged into the keyring if signed using SHA-1 by the PKI but this problem was solved with 7.0.3 and does not apply to the current problem as the problem is that the CSR is always signed using MD5.

Read this article: Why is MD5 hash considered insecure?

Technorati: Lotus Notes Domino

1. Michael Urspringer12/28/2009 07:42:41
Homepage: http://www.urspringer.de

Chris,

I was able to use a StartSSL certificate 8which does not allow MD5 requests) by creating a certificate with their own certificate request mechanism and then converting the certificate to a Domino keyring file by using these instructions: { Link }

---

2. Christian Brandlehner12/28/2009 21:04:30
Homepage: http://chris.brandlehner.at

@1: Michael you saved my day! I was able to renew my servers certificate by following your instructions!

---