Using Domino Console to create MicroCA certificates for existing servers

For existing servers, a Domino Console command generates microCA certificates to replace the former process of using self-signed certificates to establish the intitial SSL/TLS connection for the Server Controller and Java-based Domino Console.

Before you begin

The certstore.nsf app must exist and CertMgr task be running.

About this task

Follow these instructions to address security concerns related to the use of self-signing certificates on existing Java-based Domino consoles and server controllers.

Note: For new servers, these concerns are handled by the CertMgr process: during server setup, a certificate is automatically created for the server controller and Domino Console. The certificates are created as PKCS12 files with the .p12 extension. These files are created in the data directory of the server, where the console command is issued.

Procedure

If the cert manager process isn't running on the Domino domain's administration server, start the cert manager process by loading the process ncertmgr.
Run the certmgmt console command as follows:
```
certmgmt create mca controller|console FQDN-of-the-server-hostname
```
1. Run the following command to create a certificate for server controller of the server running on the host myhost in the Domino domain mydomain:
```
certmgmt create mca controller myhost.example.com
```
  A file named myhost_mydomain_s.p12 will be created.
2. Create a certificate for the Domino Console of the server running on the host myhost in the Domino domain mydomain:
```
certmgmt create mca console myhost.mydomain.com
```
  A file named myhost_mydomain_c.p12 will be created.
Import the certificates into the key store and trust store as follows:
1. Edit the dcontroller.ini file in the data directory of the server and add the following line:
  
  Certificate_File=myhost_mydomain_s.p12,,
2. Edit the dconsole.ini file in the data directory of the server and add the following line
  
  Certificate_File=myhost_mydomain_c.p12,,
Start the server using the Server Controller:
```
nserver -jc
```
The Server Controller in turn starts the jconsole and nserver processes, while the microCA certificates are imported into the trust stores and key stores, respectively.
The following four files are created:
- 07/08/2022 03:25 PM 4,245 jconsole_c_ks.p12
- 07/08/2022 03:25 PM 1,618 jconsole_c_ts.p12
- 07/08/2022 03:25 PM 4,309 jconsole_s_ks.p12
- 07/08/2022 03:25 PM 1,642 jconsole_s_ts.p12
The original .p12 files that were imported get renamed to .old as follows:
- 06/13/2022 12:52 PM 4,224 myhost_mydomain_c.p12.old
- 06/13/2022 12:51 PM 4,312 myhost_mydomain_s.p12.old
The certificate file lines that you added to dcontroller.ini and/or dconsole.ini are changed to the following line:

Certificate_File=myhost_mydomain_s.p12,****,

Note: **** indicates that the certificate was processed or imported and won't be processed again.
Once the mircoCA certificates are imported, the server controller or Domino CConsole will no longer use the old self-signed certificates.
The jconsole supports importing multiple domain certificates into key and trust stores, resulting in your being able to connect to multiple domain servers. Edit the dconsole.ini file in the data directory of the server and add the following lines:
- Certificate_File=myhostA_mydomainA_c.p12,,
- Certificate_File=myhostB_mydomainB_c.p12,,
- Certificate_File=myhostC_mydomainC_c.p12,,
If you want to use your own certificates instead of Domino microCA certificates, follow these steps.
1. Export your certificate in PKCS12 format (with the .p12 extension).
2. Copy the file to the data directory of your server and/or client area, depending on the server or console's certificate.
3. Edit dcontroller.ini or dconsole.ini to add Certficate_File= line or lines, as shown:
  
  Certificate_File=your-cerficate-filename.p12,password-for-your-certificate-file,