IBM Lotus Domino can use an SSL key to provide encrypted network access. To get SSL working you have to use the database cetsrv.nsf, create a certificate request (CSR), paste that into your PKI-providers form who will return a signed certificate. Once you merge that signed certificate into your servers keyring you are ready to go.
The problem I see is that the CSR created by Version 8.5.1 is based on the MD5 algorithm and most PKIs started to refuse MD5 in CSRs in favor of SHA-1 or newer algorithms. I see the problem that everyone who runs a SSL site on Domino will not be able to renew the certificate!

The Lotus Knowledgebase lists a problem that the signed certificate could not be merged into the keyring if signed using SHA-1 by the PKI but this problem was solved with 7.0.3 and does not apply to the current problem as the problem is that the CSR is always signed using MD5.

Read this article: Why is MD5 hash considered insecure?