CertMgr command line parameters

The load certmgr command can be run with the following parameters.

Some command-line parameters have corresponding notes.ini settings to allow automation. If both are configured, command-line overwrites notes.ini parameters.
Table 1. CertMgr command line parameters
Parameter Description
-d Enables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log})
-e <file> Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem)
-g Avoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt® can reach the server but the server can't reach itself.
-i <interval in seconds> Configures the interval to wait between processing requests.

notes.ini equivalent: CertMgr_Interval

-l Logs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log})
-1 Runs CertMgr once and then terminates. Can be useful for testing.
-o Starts HTTP when using -c and HTTP is not running.
Note: To start HTTP automatically, you must still configure the ServerTasks notes.ini setting or a Program document.

notes.ini equivalent: CertMgr_AutoConfigHttp

-r Requests a certificate for the current server.

notes.ini equivalent: CertMgr_AutoRequestCert

-u Allows untrusted TLS certificates. Can be useful for testing.
-U Don't verify TLS hosts. Can be useful for testing.
-v Enables Verbose logging.
-z Gets directory URLs only and terminates. Can be useful for testing.
-ACCEPT_TOU Accepts the Let's Encrypt® terms and services. Used with -r.

notes.ini equivalent: CertMgr_ACCEPT_TOU

-importkyr key.kyr | all Migrates a specific keyring file or all keyring files currently configured for a Domino server in a Server document or Web site document into a TLS Credentials document. The existing keyring files remain on disk. The files must have the .kyr extension.

The command can be run from any Domino 12 or later server with a certstore.nsf replica.

-importpem file.pem Imports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import.
-MIGRATETOSERVER servername Migrates the CertMgr process to a specified new server by using the new server to re-encyrpt all private keys in certstore.nsf. The new server must be a valid Domino server in the Domino domain with a replica of certstore.nsf.

Run the command on the current CertMgr server. Before running the command, ensure all CertMgr processes are complete and then issue tell certmgr shutdown to shut down CertMgr.

-showcerts Shows information about the currently loaded TLS credentials in certstore.nsf. To show this information on a server that runs CertMgr, you can also use use tell certmgr show certs.
-showocsp Uses Online Certificate Status Protocol (OCSP) to show the revocation state of TLS credentials in certstore.nsf To show this information on a server that runs CertMgr, you can also use tell certmgr show ocsp.

Requires OCSP to be enabled. If not enabled, the following error is shown: CertMgr: OCSP is disabled on this server. Set a OCSP responder URL via notes.ini 'OCSP_RESPONDER').

Table 2. CertMgr trusted root import parameters
Parameter Description
ImportRootFromUrl URL Imports trusted root from specified URL to CertStore (for example, https://mycompany.com).
ImportRootFromDominoDir Imports trusted root from the Domino Directory.
ImportRootFromFile file Imports a file containing a single PEM-encoded certificate trusted root to CertStore.