SECURING


CertMgr command line parameters

The load certmgr command can be run with the following parameters.

Some command-line parameters have corresponding notes.ini settings to allow automation. If both are configured, command-line overwrites notes.ini parameters.

Table 1. CertMgr command line parameters
ParameterDescription
-dEnables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log})
-e <file>Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem)
-gAvoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt can reach the server but the server can't reach itself.
-i <interval in seconds>Configures the interval to wait between processing requests.

notes.ini equivalent:CertMgr_Interval

-lLogs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log})
-1Runs CertMgr once and then terminates. Can be useful for testing.
-oStarts HTTP when using -c and HTTP is not running.

Note: To start HTTP automatically, you must still configure the ServerTasks notes.ini setting or a Program document.

notes.ini equivalent:CertMgr_AutoConfigHttp

-rRequests a certificate for the current server.

notes.ini equivalent: CertMgr_AutoRequestCert

-uAllows untrusted TLS certificates. Can be useful for testing.
-UDon't verify TLS hosts. Can be useful for testing.
-vEnables Verbose logging.
-zGets directory URLs only and terminates. Can be useful for testing.
-ACCEPT_TOUAccepts the Let's Encrypt terms and services. Used with -r.

notes.ini equivalent:CertMgr_ACCEPT_TOU

-importkyr key.kyr | allMigrates a specific keyring file or all keyring files currently configured for a Domino server in a Server document or Web site document into a TLS Credentials document. The existing keyring files remain on disk. The files must have the .kyr extension.

The command can be run from any Domino 12 or later server with a certstore.nsf replica.

-importpem file.pemImports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import.
-MIGRATETOSERVER servernameMigrates the CertMgr process to a specified new server by using the new server to re-encyrpt all private keys in certstore.nsf. The new server must be a valid Domino server in the Domino domain with a replica of certstore.nsf.

Run the command on the current CertMgr server. Before running the command, ensure all CertMgr processes are complete and then issue tell certmgr shutdown to shut down CertMgr.

-showcertsShows information about the currently loaded TLS credentials in certstore.nsf. To show this information on a server that runs CertMgr, you can also use use tell certmgr show certs.
-showocspUses Online Certificate Status Protocol (OCSP) to show the revocation state of TLS credentials in certstore.nsf To show this information on a server that runs CertMgr, you can also usetell certmgr show ocsp.

Requires OCSP to be enabled. If not enabled, the following error is shown: CertMgr: OCSP is disabled on this server. Set a OCSP responder URL via notes.ini 'OCSP_RESPONDER').


Table 2. CertMgr trusted root import parameters
ParameterDescription
ImportRootFromUrl URLImports trusted root from specified URL to CertStore (for example, https://mycompany.com).
ImportRootFromDominoDirImports trusted root from the Domino Directory.
ImportRootFromFile fileImports a file containing a single PEM-encoded certificate trusted root to CertStore.

Parent topic: Managing TLS certificates with Certificate Manager