Managing TLS certificates with Certificate Manager

HCL Domino® 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.

You use CertMgr and certstore.nsf to completely automate requesting, configuring, and renewing free, widely trusted TLS certificates from the Let's Encrypt® certificate authority (CA). You can also process certificate signing requests for other third-party CAs. In this case, you manually submit the generated CSR to the CA, and paste the certificates received into certstore.nsf.

Domino continues to support using OpenSSL and KYRTool to generate certificates in a keyring file, the method available prior to Domino 12. But using Certificate Manager is a much easier process and is recommended. Note that certificates generated through Certificate Manager are securely stored directly in TLS Credentials documents in certstore.nsf rather than in keyring files on disk.

The key components of certificate management are:

Certificate Manager (CertMgr) server task. This task runs on one server in a Domino domain and handles the certificate processing, leveraging new back-end security APIs. Where possible, CertMgr uses the standard PEM format for keys, Certificate Signing Requests (CSRs), and certificates.
  • The CertMgr server task to manage certificates is available for Domino 12 servers on Docker (containers), Linux, and Windows.
  • The TLS cache to consume TLS credentials is available on all platforms. In Domino 12.0, ACME HTTP-01 challenges are only available on Domino for Docker (containers), Linux, and Windows. Starting with Domino 12.0.1, the functionality is part of the HTTP task and is available for all platforms.

Certificate Store database (certstore.nsf) This database provides the interface to request, store, and distribute certificates in a secure way. The CertMgr task creates this database the first time it runs. The database contains predefined Let's Encrypt® ACME account documents needed for certificates issued from the Let's Encrypt certificate authority. certstore.nsf is protected by the database ACL and private keys are protected by 256 bit AES encryption. The database can be replicated to any Domino server that runs Domino 12 or higher.

  • The import/export functionality requires Notes 12.0.1 or higher on Windows or Mac.
  • While Domino servers on IBMi cannot run CertMgr to request certificates, they can read certificates from certstore.nsf. IBMi only supports RSA keys. ECDSA keys are not supported.