CertMgr command line parameters

The load certmgr command can be run with the following parameters.

Some command-line parameters have corresponding notes.ini settings to allow automation. If both are configured, command-line overwrites notes.ini parameters.
Table 1. CertMgr command line parameters
Parameter Description
-r Requests a certificate for the current server.

notes.ini equivalent: CertMgr_AutoRequestCert

-c Enables the DSAPI filter and restarts the HTTP task if it is already running.

notes.ini equivalent: CertMgr_AutoConfig

-o Starts HTTP when using -c and HTTP is not running.
Note: To start HTTP automatically, you must still configure the ServerTasks notes.ini setting or a Program document.

notes.ini equivalent: CertMgr_AutoConfigHttp

-i <interval in seconds> Configures the interval to wait between processing requests.

notes.ini equivalent: CertMgr_Interval

-1 Runs CertMgr once and then terminates. Can be useful for testing.
-u Allows untrusted TLS certificates. Can be useful for testing.
-U Don't verify TLS hosts. Can be useful for testing.
-e <file> Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem)
-z Gets directory URLs only and terminates. Can be useful for testing.
-g Avoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt® can reach the server but the server can't reach itself.
-d Enables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log})
-l Logs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log})
-v Enables Verbose logging.
-ACCEPT_TOU Accepts the Let's Encrypt® terms and services. Used with -r.

notes.ini equivalent: CertMgr_ACCEPT_TOU

-importkyr key.kyr | all Migrates a specific keyring file or all keyring files currently configured for a Domino server in a Server document or Web site document into a TLS Credentials document. The existing keyring files remain on disk. The files must have the .kyr extension.

The command can be run from any Domino 12 or later server with a certstore.nsf replica.

-importpem file.pem Imports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import.
-MIGRATETOSERVER servername Migrates the CertMgr process to a specified new server by using the new server to re-encyrpt all private keys in certstore.nsf. The new server must be a valid Domino server in the Domino domain with a replica of certstore.nsf.

Run the command on the current CertMgr server. Before running the command, ensure all CertMgr processes are complete and then issue tell certmgr shutdown to shut down CertMgr.