Requesting a certificate from the Let's Encrypt CA

Request a certificate from the Let's Encrypt® CA using the certstore.nsf interface.

Before you begin


  1. Start the HTTP server task on the server.
  2. Open certstore.nsf, select the TLS CREDENTIALS > By Host Name and click Add TLS Credentials.
  3. In the Certificate provider field, select ACME.
  4. In the Host names field, specify the host names of the internet-facing servers to request a certificate for.
    • You can specify multiple host names, for example,,, and
    • If host names map to a registered domain in a DNS Provider Account, DNS-01 challenges are used. For DNS-01, you can use wildcards in the Host names field to validate an entire domain, for example, * Wildcards are not supported for HTTP-01 challenges which can only be used to validate host by host.
    • If a single IP address is mapped to more than one Web host through Internet Sites, specify the Subject Alternative Name (SAN) name for each Web host. You can add up to 30 SANs for one certificate.
    • You can enter international (non-ASCII) characters in this field. The CertMgr task converts them to Punycode (, the standard encoding for Internationalized Domain Names (IDN). Once the certificate is received, the TLS Credentials form displays the Punycode representation of the SANs read from the certificate.
    Note: Also put the Web server DNS host name in the TLS key file name field in the Server document or the Key file name field of a Web Site document.
  5. In the Servers with access field, select the Domino servers with which to encrypt the private key of the TLS credentials so that they can read the private key and use the certificates.
  6. The values for other fields are derived from the Global Settings you specified in Configuring Global Settings. Adjust these fields, if necessary.
  7. Click Submit Request.


The following steps occur to process the request:
  1. Generate a key pair for the TLS credentials and store it in the new TLS Credentials document, encrypted for the servers listed in the Servers with access field. This step is done only for the initial certificate request and not for subsequent requests.
  2. Create a Certificate Signing Request (CSR) and submit it to the Let's Encrypt® CA for certification.
  3. If you use HTTP-01 challenges, the Let's Encrypt CA sends the challenge to CertMgr over the ACME protocol for each host name you register. The challenge is stored in the certstore.nsf database for HTTP task to pick up when the Let's Encrypt® service requests the challenge to verify the identity of the requesting Web server.

    If you use DNS-01 challenges (a DNS Provider Configuration and a DNS Provider Account is enabled for the specified host name) a DNS server uses the DNS API integration in the DNS Provider Configuration to write the challenge information into a DNS TXT record in your registered domain. The Let's Encrypt service uses the DNS TXT record to verify the challenge.

  4. The CertMgr task uses the ACME protocol to request the issued certificate chain from the Let's Encrypt CA. If the certificate chain is not ready, the CertMgr task polls the CA until the certificate chain is available. 
  5. CertMgr writes the new certificate chain to the new TLS Credentials document. Any Domino server listed in the Servers with access field can use the certificate chain once the new document replicates to its replica of the certstore.nsf database.
  6. By default a keyfile.kyr is generated holding the private key, certificate, and certificate chain including the CA's root certificate. The kyr file is stored in the key file document. If CertMgr requests a certificate for the local machine (the local server is listed in "Servers" field of the keyfile document) the kyr-file is automatically deployed to the server's data directory -- ready to use for HTTP and other internet protocols to use.