Managing TLS certificates with Certificate Manager

HCL Domino® 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.

You use CertMgr and certstore.nsf to completely automate requesting, configuring, and renewing free, widely trusted TLS certificates from the Let's Encrypt® certificate authority (CA). You can also process certificate signing requests for other third-party CAs. In this case, you manually submit the generated CSR to the CA, and paste the certificates received into certstore.nsf.

Domino continues to support using OpenSSL and KYRTool to generate certificates in a keyring file, the method available prior to Domino 12. But using Certificate Manager is a much easier process and is recommended. Note that certificates generated through Certificate Manager are securely stored directly in TLS Credentials documents in certstore.nsf rather than in attached keyring files.

The key components of certificate management are:

Certificate Manager (CertMgr) server task. This task runs on one server in a Domino domain and handles the certificate processing. It leverages new back-end security APIs and requires a HCL Domino® version 12 or higher server running on Docker, Windows, or UNIX. Where possible, CertMgr uses the standard PEM format for keys, Certificate Signing Requests (CSRs), and certificates.

Certificate Store database (certstore.nsf) This database provides the interface to request, store, and distribute certificates in a secure way. The CertMgr task creates this database the first time it runs. The database contains predefined Let's Encrypt® ACME account documents that include the trusted roots needed for certificates issued from the Let's Encrypt certificate authority. certstore.nsf is protected by the database ACL. The database can be replicated to any Domino server that runs Domino version 10 or higher.

CertMgr DSAPI For certificates generated by the Let's Encrypt CA using HTTP-01 challenges, the ncertmgrdsapi (Windows) or certmgrdsapi (UNIX) DSAP filter is required. You specify this filter in the DSAPI filter file names field in a Server document or Web Site document of servers for which certificates are requested. You can also use the server command load certmgr -c to add the filter to these documents automatically.