SECURING


Managing TLS certificates with Certificate Manager

HCL Domino 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.

You use CertMgr and certstore.nsf to completely automate requesting, configuring, and renewing free, widely trusted TLS certificates from the Let's Encrypt certificate authority (CA). You can also process certificate signing requests for other third-party CAs. In this case, you manually submit the generated CSR to the CA, and paste the certificates received into certstore.nsf.

Domino continues to support using OpenSSL and KYRTool to generate certificates in a keyring file, the method available prior to Domino 12. But using Certificate Manager is a much easier process and is recommended. Note that certificates generated through Certificate Manager are securely stored directly in TLS Credentials documents in certstore.nsf rather than in keyring files on disk.

The key components of certificate management are:

Certificate Manager (CertMgr) server task. This task runs on one server in a Domino domain and handles the certificate processing, leveraging new back-end security APIs. Where possible, CertMgr uses the standard PEM format for keys, Certificate Signing Requests (CSRs), and certificates.

Note: CertMgr comes with Domino 12 servers on Docker, Windows, and Linux. Starting with Domino 12.0.2, CertMgr comes with Domino on AIX, too.

Certificate Store database (certstore.nsf) This database provides the interface to request, store, and distribute certificates in a secure way. The CertMgr task creates this database the first time it runs. The database contains predefined Let's Encrypt ACME account documents needed for certificates issued from the Let's Encrypt certificate authority. certstore.nsf is protected by the database ACL and private keys are protected by 256 bit AES encryption. The database can be replicated to any Domino server that runs Domino 12 or higher.

Note: While Domino servers on IBM i cannot run CertMgr to request certificates, they can read certificates from certstore.nsf.


Parent topic: TLS security