SECURING


Requesting a certificate from the Let's Encrypt CA

Request a certificate from the Let's Encrypt CA using the certstore.nsf interface.

Before you begin

Complete the following procedures:


Procedure

1. Start the HTTP server task on the server.

2. Open certstore.nsf, select the TLS CREDENTIALS -> By Host Name and click Add TLS Credentials.

3. In the Certificate provider field, selectACME.

4. In the Host names field, specify the host names of the internet-facing servers to request a certificate for.


5. In the Servers with access field, select the Domino servers with which to encrypt the private key of the TLS credentials so that they can read the private key and use the certificates.

6. The values for other fields are derived from the Global Settings you specified in Configuring Global Settings. Adjust these fields, if necessary.

7. Click Submit Request.

Results

The following steps occur to process the request:

1. Generate a key pair for the TLS credentials and store it in the new TLS Credentials document, encrypted for the servers listed in theServers with access field. This step is done only for the initial certificate request and not for subsequent requests.

2. Create a Certificate Signing Request (CSR) and submit it to the Let's Encrypt CA for certification.

3. If you use HTTP-01 challenges, the Let's Encrypt CA sends the challenge to CertMgr over the ACME protocol for each host name you register. The challenge is stored in the certstore.nsf database for HTTP task to pick up when the Let's Encrypt service requests the challenge to verify the identity of the requesting Web server.


4. The CertMgr task uses the ACME protocol to request the issued certificate chain from the Let's Encrypt CA. If the certificate chain is not ready, the CertMgr task polls the CA until the certificate chain is available. 

5. CertMgr writes the new certificate chain to the new TLS Credentials document. Any Domino server listed in the Servers with access field can use the certificate chain once the new document replicates to its replica of the certstore.nsf database.

6. By default a keyfile.kyr is generated holding the private key, certificate, and certificate chain including the CA's root certificate. The kyr file is stored in the key file document. If CertMgr requests a certificate for the local machine (the local server is listed in "Servers" field of the keyfile document) the kyr-file is automatically deployed to the server's data directory -- ready to use for HTTP and other internet protocols to use.

Parent topic: Managing certificates with the Let's Encrypt CA

Related tasks
Configuring a port for TLS
Setting up Domino security for Internet site documents