"Unrecognized Certificate Authority Signature" when installing certificate into key ring

Question

When you install a signed certificate into a key ring file, the following message appears:

• 
  "Unrecognized Certificate Authority signature.
  The server certificate cannot be installed in your server key ring because the signature is from a CA that is not listed as a Trusted Root. This is due to one of the following:
  • 1. A certificate for the signing CA is not present in your server key ring.
    2. A certificate for the signing CA is present in your server key ring, but it is not marked as a Trusted Root.
  You can install the server certificate anyway, or you can exit for now to install the CA certificate in your server key ring and mark it as a Trusted Root.

• Click OK to install the server certificate anyway.
  Click Cancel to exit."

Cause

As noted in the message text, a Lotus® Domino® server returns this message if the Certificate Authority used to sign the certificate is not present in the key ring file. Domino includes a limited number of CAs by default, but some commercial CAs and any self-created CAs (Domino or third-party) will not be present.

Answer

To correct the problem, you need to install the trusted root certificate. To obtain the trusted root certificate, contact the vendor to determine which trusted root authority was used to sign the certificate.

Alternatively, you can obtain the trusted root from the certificate itself with these steps:

1. Create a new text file (example.txt) and paste the certificate information into it, save and close.

2. Rename the text file to example.cer.

3. Open example.cer file, Windows automatically associate it as an X.509 certificate and opens it with the Certificate Viewer.

4. Switch to the "Certification Path" tab. This tab shows the hierarchy of the certificate.

• 
  

  Note: The CA is not shown if it is not present in Internet Explorer. All commercial CAs should be present. A self-created CA needs the CA already present, else it will have to be obtained (making the instructions presented here unnecessary, as it is the same certificate needed for the key ring).

  In some cases one or more Intermediate CAs are used to sign the certificate. In that case, all levels need to be imported using the following steps, starting with the top level.

5. Choose the CA and click "View Certificate." You see a new Certificate dialog for the CA itself.

6. Switch to the "Details" tab, click "Copy to File." This opens the Certificate Export Wizard.

7. Click "Next." Choose "Base-64 encoded X.509 (.CER)." Click "Next." Choose a file name (c:\exampleca.cer). Click "Next." Click "Finish."

Use the following steps after receiving the root certificates from your Certificate Authority or after using Steps 1-7 above.

1. Open the Server Certificate Administration database. Choose step 3 "Install Trusted Root Certificate into Key Ring"

2. Fill out the fields as shown in the screen capture below, changing the kyr file to the correct name (which should be the correct name by default). The Certificate Label is purelyinformational(情报的), a best practice is to match it to the name of the CA issuer's common name.

3) Click "Merge Trusted Root Certificate into Key Ring" and follow the prompts. This step imports the trusted root. 

• If you clicked OK when first receiving the "Unrecognized Certificate Authority signature" message, then the key file ring is read and all steps are complete.
• If you clicked Cancel to the message dialog, you need to repeat "Install Certificate into Key Ring" in the Server Certificate Administration database.