Preparing to request certificates using DNS-01 challenges

Before you can request a certificate from the Let's Encrypt® CA using DNS-01 challenges, you first need to create a DNS Provider Configuration and a DNS Provider Account.

Before you begin

About this task

The DNS Provider Configuration document created in this procedure contains code that is specific to a DNS provider API to automate storing the challenge received from Let's Encrypt servers to a TXT record in your registered DNS domain.

This procedure provides steps to automatically configure DNS Provider Configurations documents for two specific DNS providers. This configuration is done by importing a DXL file available through the HCL Support article at the beginning of this procedure. The DXL file contains provider-specific API code.

However, if your DNS provider is not one of the reference providers available through the DXL file, there is support for developing your own DNS Provider Configuration document according to the requirements of your DNS provider API. More information about this approach is also found through the Support article.

The DNS Provider Account document created in this procedure is used to associate your domain with the DNS Provider in certstore.nsf. Later, when you create a TLS Credentials document to request a certificate for a host name within this domain, CertMgr knows to use DNS-01challenges.


  1. Create a DNS Configuration document with a reference implementation:
    1. Download the DXL file provided through the Support article.
    2. Open certstore.nsf.
    3. Click the DNS Configuration view.
    4. Select Actions > Import DXL to create a DNS Provider Configuration document for each of the two reference DNS providers.
    • The Basic tab of each DNS Provider Configuration document that is created includes documentation on the implementation for the associated reference DNS provider.
    • Certificate request logging is posted in the DNS Trace Logs view of certstore.nsf. By default, only errors are logged. You can enable full logging by selecting Enabled in the HTTP request tracing field in the Operations tab of the DNS Provider Configuration document. Or, disable logging by selecting Disabled.
  2. Create the DNS Provider Account. Typically you create one account per DNS provider.
    1. Click the DNS Providers view.
    2. Click Add Account.
    3. In the Registered domain field, enter the DNS domain to request certificates for. For example,
    4. In the Account name field, provide a name for the account.
    5. In the Status field, select Enabled.
    6. In the DNS provider configuration field, select the DNS Provider configuration you use. Click ? to open the DNS Provider Configuration document to reference it as you complete the remaining steps.
    7. Complete the fields in the Configuration Values section as required by your DNS provider.
    8. Save & Close.

What to do next

Complete the procedure, Configuring the ACME account profiles.