SECURING


Certificate URL health check

CertMgr supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired.

The standard certificate health check already provides warning functionality for expiring certificates. This functionality complements the certificate check in certstore.nsf.

Especially in the case of exported wildcard certificates (for example, for SafeLinx, Sametime, and Nomad Web), verifying the health of the certificate provides an easy way for administrators to manage the certificates in their Domino ecosystem.

The remote endpoint connections are established by TLS to check the expiration of the actual certificate configured on the endpoint, specified by the specified URL.

Supported URL syntax

The basic syntax is the URL syntax with or without the https:// syntax, for instance https://www.example.com

The https:// prefix can be omitted and TLS is assumed. Ports can be appended to the FQDN (icap.acme.com:11344).

Protocols supported

The functionality is not limited to HTTPS. Protocols such as LDAP, POP3, IMAP, ICAP are also supported.

No protocol-specific information is checked. The underlying LibCurl code checks only the TLS/SSL connection to the remote host.

Protocols upgrading network sessions to TLS, for example STARTTLS, are not supported.

Configuring the certificate URL health check

To configure, specify one or more entries in Health check URLsin a TLS Credentials document in certstore.nsf. Then selectEnabled from Health check options.

By default trusted roots to validate the remote peer are read from certstore.nsf (Trusted roots view). To use trusted roots from Domino directory instead, selectUse trusted roots from Domino Directory fromHealth check options.

URL health check interval

The certificate health check for URLs is performed once every 24 hours. If a manual check is required, run tell certmgr check on the CertMgr server to trigger a manual health check for certificates and certificate URLs.

CertMgr stores the last check in the notes.ini CERTMGR_CHECKURL_LASTCHECKTIME, which is loaded on restart.

URL health check statistics

The following CertMgr statistics are available to report certificate URL health.

Table 1. CertMgr certificate URL health statistics
StatisticDescription
CertMgr.HealthCheckURL.CheckTime.LastThe last time that a certificate URL health check was performed.
CertMgr.HealthCheckURL.CheckTime.NextThe next scheduled run of the certificate URL health check.
CertMgr.HealthCheckURL.IntervalHoursThe certificate URL health check interval in hours.
CertMgr.HealthCheckURL.Status.GreenNumber of certificate URL health checks reported as healthy with no issues.
CertMgr.HealthCheckURL.Status.YellowNumber of certificate URL health checks that reported warnings (usually certificate expiring soon).
CertMgr.HealthCheckURL.Status.Red Number of certificate URL health checks that reported fatal errors (usually certificate expired or fatal connection error).

Configuring email notification

In certstore.nsf global configuration, specify a single recipient address in theHealth Check notification email field to receive an email notification in case of warning or error.

No email will be sent if no warning or error occurs. The email notification is a summary of all TLS credentials with a health check URL and contains only information about certificates with warning or errors.

Parent topic: Managing TLS certificates with Certificate Manager