SECURING
HCL Domino 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.
You use CertMgr and certstore.nsf to completely automate requesting, configuring, and renewing free, widely trusted TLS certificates from the Let's Encrypt certificate authority (CA). You can also process certificate signing requests for other third-party CAs. In this case, you manually submit the generated CSR to the CA, and paste the certificates received into certstore.nsf.
Domino continues to support using OpenSSL and KYRTool to generate certificates in a keyring file, the method available prior to Domino 12. But using Certificate Manager is a much easier process and is recommended. Note that certificates generated through Certificate Manager are securely stored directly in TLS Credentials documents in certstore.nsf rather than in keyring files on disk.
The key components of certificate management are:
Certificate Manager (CertMgr) server task. This task runs on one server in a Domino domain and handles the certificate processing, leveraging new back-end security APIs. Where possible, CertMgr uses the standard PEM format for keys, Certificate Signing Requests (CSRs), and certificates.
Note: CertMgr comes with Domino 12 servers on Docker, Windows, and Linux. Starting with Domino 12.0.2, CertMgr comes with Domino on AIX, too.
Certificate Store database (certstore.nsf) This database provides the interface to request, store, and distribute certificates in a secure way. The CertMgr task creates this database the first time it runs. The database contains predefined Let's Encrypt ACME account documents needed for certificates issued from the Let's Encrypt certificate authority. certstore.nsf is protected by the database ACL and private keys are protected by 256 bit AES encryption. The database can be replicated to any Domino server that runs Domino 12 or higher.
Note: While Domino servers on IBM i cannot run CertMgr to request certificates, they can read certificates from certstore.nsf.
Configure the Certificate Store database (certstore.nsf) on Web servers Run certmgr on Web servers in the domain to create replicas of certstore.nsf on them.
Configuring Global Settings Configure Global Settings to set default values to use for certificate management.
Managing certificates with the Let's Encrypt CA CertMgr simplifies and secures Domino web server operations by providing the ability to automatically request, configure, and renew free, widely trusted TLS certificates from the Let's Encrypt certificate authority (CA) using the ACME protocol.
Requesting and importing a key and certificates from a third-party CA Beginning with HCL Domino 12, the process for configuring internet certificates from third-party certificate authorities (CAs) on a Domino server is made simpler.
Upgrading TLS credentials If you have TLS credentials on disk that are not yet added to TLS Credentials documents, you can use the certstore.nsf database to import them so that they can be used by CertMgr.
Exporting credentials to a file You can export the credentials in a TLS Credentials document to a file.
Adding trusted root certificates Trusted root certificates allow web servers to accept the trusted root certificates from connecting clients. Trusted root certificates are also useful for automatically completing partial certificate chains presented by CAs.
Creating certificates from a micro CA You can create web server TLS certificates from a micro CA.
ECDSA cryptography support for ACME accounts and for host keys CertMgr supports Elliptic Curve Digital Signature Algorithm (ECDSA) using the NIST P-256 and NIST P-384 curves for ACME accounts and for TLS 1.2 host keys (keyring files) generated from either the Let's Encrypt CA or a third-party CA.
Requesting a key rollover You can request a TLS host key rollover (more typical) or an ACME account key rollover.
CertMgr command line parameters The load certmgr command can be run with the following parameters.
CertMgr tell commands The following CertMgr tell commands are available.
CertMgr notes.ini settings CertMgr includes the following notes.ini settings. Some have command-line parameter equivalents and are so noted.
Certificate health check The CertMgr task checks the health of imported keys and certificates at the time of import and every 30 minutes thereafter.
Certificate URL health check CertMgr supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired.
Internet CA root certificates updated The Internet CA root certificates in the Domino directory and in Certificate Store have been updated to include additional fields.
CertMgr Debug logging The load certmgr -d command used to enable CertMgr debug logging also includes normal message logging to provide a single location for troubleshooting information. This logging pertains to certificates from the Let's Encrypt certificate authority and from third-party CAs.