SSL Certificate on 9.0.1 FP10 Server

ppeckman · June 8, 2026, 12:25pm

Please complete the details below then remove this line:

Domino/Notes Version: 9.0.1
Add-on Product (if appropriate, e.g. Verse / Traveler / Nomad / Domino REST API): Traveler
Its Version:
Operating System: Windows Server 2008
Client (Notes, Nomad Web, Nomad Mobile, Android/iOS, browser version):

Problem/Query: We run an old server with Domino 9.0.1 FP10 and traveller. The SSL certificate we had for traveler has expired and on renewal from GoDaddy their certifiers now have a key length of 4096 instead on 2048. After installing the new certificate and associated Go Daddy root and intermediate certificates, the certificate does not function on the server. There are no errors on the server that I can see but it just doesn’t work. When trying to connect using a web browser we see a non copnnection to server error and the Verse app simply won’t connect.

Sorry for my lack of the correct terminology, but does anyone have any suggestions to get this up and running. Perhaps I should use a different SLL certificate provider that still issues certificated with a 2048 key length or is it the Server Certificate Admin I am using to generate the keyring file?

I have seen something out krytool but have no idea where to locate it or how to use it?

Any help would be appreciated as we are currently without verse / internet email/calendar functionality

nirajjani · June 8, 2026, 1:03pm

You can refer this article to setup SSL on your 9.0.1 FP10 server

ppeckman · June 10, 2026, 4:03am

Thank you Niraj,

I have gone through the process of creating the keyring file and installed our signed site certificate, root and intermediate certificates and server.key into the keyring in the order noted.

I checked that all looked ok using the kyrtool show certs and show keys functions.

I have then installed in on the server, redirected the internet sites records to the new keyring and refreshed http and confirmed the http server is using the new certificates.

But it still doesn’t work!

We use Go Daddy for our SLL certificates and have done so for years without issue. They have changed from their G2 certificate chain to R1 certificate chain.

The new certificate has a 4096 key length, our previous was 2048. Our server hasn’t changed.

Am I missing something here?

I performed all the openssl and krytool operations on my HCL Notes laptop and copied the resultant keyring over to the server. Is this ok or does it have to be done on the server?

Does changing from 2048 to 4096 key length require any server change?

Any help you can provide would be appreciated.

nirajjani · June 10, 2026, 4:43am

creating keyring locally, importing certs in that and moving the keyring as well as stash file ( KYR and STH ) on server is completely fine.

As per your explanation, you seem to have done everything perfect.

This could be due to higher key strength.

When you say, it doesn’t work, what does exactly happen? Is there any error on the browser end? Any error at the domino server end?

In case if you have an extended support for V9.0.x, I would suggest to report a support case with HCL to troubleshoot this further.

Thanks and Regards

Niraj V Jani

ppeckman · June 10, 2026, 5:19am

This certificate is used for access to notes mail and also for the Verse App to the traveler server.

Trying to connect from a browser (edge) just says “Can’t reach this page”, Same with Chrome

The Verse app just fails to connect.

If I point the internet site documents back to the now expired certificate, browsers will still connect but we get the usual security warnings about site not being secure etc. Verse App will not connect to the expires certificate (our main issue).

I can’t see any errors on the server at all. Restarting the HTTP server task does so without error and show security confirms it is looking at the new keyring file.

We don’t have extended support on 9.0.1 as they wanted to charge a ridiculous amount for it, like 5 times the usual support cost!

I’m at a bit of a loss with this. I am thinking it has something to do with the new version of certificates from Go Daddy. They have not been able to shed much light on it?

Maybe I should be using a different SSL certificate provider? Can you recommend an alternative as this is a little bit out of my understanding.

FredrikNorling · June 10, 2026, 6:06am

There is probably something wrong with the .kyr file. Something isn’t imported right, you need to create the kyr file, import the private key, import the certificate crt you got back and all root cert from the cert provider. And yopu need to put both files created when you create the kyr file on the server and add that name to the corresponding fields in the internet site document (s)

Feel free to reach out on xpagedeveloper.com if you need remote assistance

nirajjani · June 10, 2026, 6:25am

It looks like the higher key strength issue.

As per domino 9.0.x product documentation, maximum allowable key strength is 2048. May be that’s why, your old certificates worked earlier with 9.0.x version.

Maximum allowable key strength

Specify the strongest key size allowed. Keys stronger than this will be rolled over:

Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits) (default).
Compatible with Release 7 and later (2048 bits)

I think it is worth going for another CA who can provide your certificates with 2048 key strength and check if that works well on Domino server. You would need to perform the same steps as per the article I shared in my intial post.

Hope that works.

Thanks and Regards

Niraj V Jani