Your certificates will need to be installed to the key ring in the exact order described below.
AddTrustExternalCARoot.crt
XYZHigh-AssuranceSecureServerCA.crt (if included in your zip file)
your_domain.crt
- In the Domino Server Certificate Administration, choose the option to "Install Trusted Root Certificate into Key Ring."

- Enter the file name that you selected when creating your CSR, then go ahead and import your Trusted Root Certificate (AddTrustExternalCARoot.crt). You may see a message that your root certificate is already installed. If this happens, just continue to step 3.

- Once again, choose the option to "Install Trusted Root Certificate into Key Ring". You should now install your Intermediate Certificate file(s). If you received a XYZRSAAddTrustCA.crt, make sure to import that first, and then repeat this step to import the XYZRSADomainValidation.crt.
If you did not receive a XYZRSAAddTrustCA.crt file, go ahead and import your XYZRSACA.crt now.

- For the next step select the option to "Install Certificate into Key Ring". Enter name of the key ring, and then import your Primary Certificate (your_domain_name.crt) file.

Your certificate is now installed and ready to use on your IBM Domino Server.
Note: Some chain files maybe different than others please use this article as a reference on how to install. Also, LOTUS Domino 8 may not support SHA-2 certificates and you may need to contact their support for information regarding SHA-2 certificate requirements.