Parameter | Description |
-d | Enables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log}) |
-e <file> | Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem) |
-g | Avoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt can reach the server but the server can't reach itself. |
-i <interval in seconds> | Configures the interval to wait between processing requests.
notes.ini equivalent:CertMgr_Interval |
-l | Logs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log}) |
-1 | Runs CertMgr once and then terminates. Can be useful for testing. |
-o | Starts HTTP when using -c and HTTP is not running.
Note: To start HTTP automatically, you must still configure the ServerTasks notes.ini setting or a Program document.
notes.ini equivalent:CertMgr_AutoConfigHttp |
-r | Requests a certificate for the current server.
notes.ini equivalent: CertMgr_AutoRequestCert |
-u | Allows untrusted TLS certificates. Can be useful for testing. |
-U | Don't verify TLS hosts. Can be useful for testing. |
-v | Enables Verbose logging. |
-z | Gets directory URLs only and terminates. Can be useful for testing. |
-ACCEPT_TOU | Accepts the Let's Encrypt terms and services. Used with -r.
notes.ini equivalent:CertMgr_ACCEPT_TOU |
-importkyr key.kyr | all | Migrates a specific keyring file or all keyring files currently configured for a Domino server in a Server document or Web site document into a TLS Credentials document. The existing keyring files remain on disk. The files must have the .kyr extension.
The command can be run from any Domino 12 or later server with a certstore.nsf replica. |
-importpem file.pem | Imports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import. |
-MIGRATETOSERVER servername | Migrates the CertMgr process to a specified new server by using the new server to re-encyrpt all private keys in certstore.nsf. The new server must be a valid Domino server in the Domino domain with a replica of certstore.nsf.
Run the command on the current CertMgr server. Before running the command, ensure all CertMgr processes are complete and then issue tell certmgr shutdown to shut down CertMgr. |
-showcerts | Shows information about the currently loaded TLS credentials in certstore.nsf. To show this information on a server that runs CertMgr, you can also use use tell certmgr show certs. |
-showocsp | Uses Online Certificate Status Protocol (OCSP) to show the revocation state of TLS credentials in certstore.nsf To show this information on a server that runs CertMgr, you can also usetell certmgr show ocsp.
Requires OCSP to be enabled. If not enabled, the following error is shown: CertMgr: OCSP is disabled on this server. Set a OCSP responder URL via notes.ini 'OCSP_RESPONDER'). |