It's been a long time since I've added anything about Domino here, but I wanted to put this where I'd find it next year and though some of you might find it useful as well.

There's lots of instructions out there around using "LetsEncrypt" or whatever to generate short lived SSL certificates for Domino, but if you want to use a full blown certificate authority -- or maybe your company does self signed certificates and you want to use those, here's a quick reference.

Prerequisite:

You should already have created the certstore.nsf on your servers. If you haven't, just go to your administration server and issue the command "load certmgr" and it will create the certstore.nsf on that server. Once you've done that, issue the same command on any servers you want to replicate it with and they'll pull it from the admin server. Add "certmgr" to your servertasks= line in the servers' INI file as well.

So here's quick reference:

1. Open certstore.nsf and click "Add TLS Credentials"

Fill out the stuff on the Main Tab. Primarily these fields are the minimum.

Host Names: - Whatever the FQDN name of the website will be. For wildcards, you can use *.
- example: *.thenorth.com

Provider: - Manual (you must set this)

CN: -The primary FQDN of the website. For wildcards, you can use *.
- example: *.thenorth.com


2. Click the action button "Create Exportable Key"

You'll be required to enter a strong password. Write it down.

3. Click the action button "Submit Request"

Wait a sec for it to process, then re-open the document

4. Make a folder somewhere to put all the text files and certificates in
I recommend something like "\certificates\domainname\[currentyear]\"

5. Copy the CSR from the "Manual Request" tab

You'll need this to make the request from the SSL provider
I recommend you save this to a folder and name it something ending in .csr

6. Copy the Private Key from the "Exportable Key" field on the "Manual" tab

Save the exportable private key in a text file. I suggest adding "-encrypted.key" to the end of the file name.

7. Submit the CSR to your provider and jump through their verification hoops

8. Download the certificate bundle from the provider
If it's in P7b format, convert it to PEM with this command:
openssl pkcs7 -print_certs -in bundlfilename.p7b -out bundlefilename.pem

9. Go back to the certstore.nsf file and edit that TLS document

On the "Manual" tab, paste contents of the PEM file info the "Certificates and Roots" field

10. Submit the request again
Wait a minute for it to process
It should be a valid TLS configuration at this point.

11. You still need a keyring file to put in fields (why? don't know) and you may want to use this credential elsewhere

12. Export from the TLS document using the "export TLS Credentials" button.
This is mostly for people like me who use a wildcard certificate so you can use these credentials
on appliances that can import them, but it's also need to make a proper kyr file.

Use the radio button for "Base64 Encoded x.509"
Set the friendlyname: No spaces. Probably you should just use the fqdn.
File name to export: (example) thenorth_wildcard_tls_exported.pem

13. Decrypt the exported private key
openssl rsa -in keyfilename-encrypted.key -out keyfilename-decrypted.key

14. Create a Domino kyr file
kyrtool create -k kyrfilename.kyr -p "xxxxxxxxx"

Notes:
If you don't already have the kyrtool get it from HCL or find it on a windows server install.

Copy the kyrtool.exe to your notes program directory.

Make sure the notes program directory is in your path

The most common cause of errors is a path problem. if in doubt, put quotes
around your paths and specify exact paths to all files on that command line.

The keyfile will be created in the notes data directory!!

15. Import the private key into the kyr file
kyrtool import keys -k keyfilename.kyr -i keyfilename-decrypted.key


16. Import the PEM bundle into the kyr file
kyrtool import certs -i exported-tls-file.pem -k keyfilename.kyr

17. Copy the kyr an sth files from the notes data directory to somewhere safe.
Probably a great idea to put all these files you've used together in one place
(remember that folder we created before) and maybe back it up.

18. Reference the "KYR" keyring file on the server document and the website document as usual
(yes, even though you're using certstore.nsf) and You should now have a valid TLS/SSL
configuration that lasts until the certificate expires.