Using Domino Console to create MicroCA certificates for existing servers
For existing servers, a Domino Console command generates microCA certificates to replace the former process of using self-signed certificates to establish the intitial SSL/TLS connection for the Server Controller and Java-based Domino Console.
Before you begin
About this task
Follow these instructions to address security concerns related to the use of self-signing certificates on existing Java-based Domino consoles and server controllers.
Procedure
- If the cert manager process isn't running on the Domino domain's administration server, start the cert manager process by loading the process ncertmgr.
-
Run the certmgmt console command as follows:
certmgmt create mca controller|console FQDN-of-the-server-hostname
-
Import the certificates into the key store and trust store as follows:
-
Start the server using the Server Controller:
nserver -jc
The Server Controller in turn starts the jconsole and nserver processes, while the microCA certificates are imported into the trust stores and key stores, respectively.
The following four files are created:- 07/08/2022 03:25 PM 4,245 jconsole_c_ks.p12
- 07/08/2022 03:25 PM 1,618 jconsole_c_ts.p12
- 07/08/2022 03:25 PM 4,309 jconsole_s_ks.p12
- 07/08/2022 03:25 PM 1,642 jconsole_s_ts.p12
The original .p12 files that were imported get renamed to .old as follows:- 06/13/2022 12:52 PM 4,224 myhost_mydomain_c.p12.old
- 06/13/2022 12:51 PM 4,312 myhost_mydomain_s.p12.old
The certificate file lines that you added to dcontroller.ini and/or dconsole.ini are changed to the following line:
Certificate_File=myhost_mydomain_s.p12,****,
Note: **** indicates that the certificate was processed or imported and won't be processed again. - Once the mircoCA certificates are imported, the server controller or Domino CConsole will no longer use the old self-signed certificates.
-
The jconsole supports importing multiple domain certificates into key and trust
stores, resulting in your being able to connect to multiple domain servers. Edit
the dconsole.ini file in the data directory of the server and add the following
lines:
- Certificate_File=myhostA_mydomainA_c.p12,,
- Certificate_File=myhostB_mydomainB_c.p12,,
- Certificate_File=myhostC_mydomainC_c.p12,,
-
If you want to use your own certificates instead of Domino microCA
certificates, follow these steps.