Some certificates are 90 day LetsEncrypt, which we migrated from the old Nashed app, and our "sidekick" app.
However, others are traditional certificates with domain/certificate registrars. They have multiple names, and only some run on HCL Domino -- are Domino-based web sites.
They were created from an OpenSSL CSR and mydomain.key files, bought at the SSL registrar, and the mydomain.crt file(s) are converted/migrated to the traditional Domino keyring mydomain.kyr, via the IBM Keyman utility.
How do we import the traditional certificates and with their keys inside the kyr files?
If you just create a document and fill out the fields, you will not be able to add the private mydomain.kyr key file. You will always see an "invalid private key" message.
To fix, remove this manually created document, via the Delete button. We have to do an import.
The process to do the import properly is:
1a. Confirm the name of the kyr file to import. e.g. mydomain.kyr .
1b. Confirm the file is in the /local/notesdata folder, on the "primary" Domino Certification Manager server. The primary server is the one running the Certificate Manager (certmgr) service.
(We haven't tried this on a "secondary" Certificate Store replica which is not running the certmgr service.)
You do not have to shutdown the already running certmgr task.
2. On the primary server. issue the certmgr import command in the Domino console.
a. Domino Administrator client --> myserver.mindwatering.net/Mindwatering --> Server (tab) --> Status (sub-tab).
b. Click the green Live button (top right).
c. In the Domino Command field, enter the following command, and click Send.
> load certmgr -importkyr mydomain.kyr
Watch the output. It should look like this:
06/29/2021 08:11:04 PM Remote console command issued by Tripp Black/Mindwatering: load certmgr -importkyr mydomain.kyr
06/29/2021 08:11:04 PM CertMgr: Imported KeyRing file [mydomain.kyr]
06/29/2021 08:11:04 PM CertMgr: KeyRing file import result - Success: 1, Already exist: 0, Error: 0
06/29/2021 08:11:04 PM CertMgr: Shutdown
That's it. A new certificate document is created in the Certificate Store application.
3. If desired, edit the newly created mydomain.com document and add the CSR.