Configuring Domino server to request a certificate

After you've run Certificate Manager (CertMgr) to create the Certificate Store (certstore.nsf), prepare the HCL Domino® server to request a certificate.

About this task

A Domino 12 server must request the certificate. The server for which the certificate is requested can be an internet-facing Domino 10, 11, or 12 Web server running on 64-bit Windows or Linux.

Procedure

  1. Review the Certificate Store (certstore.nsf) ACL. Administrators and Domino servers in the domain require Manager access and the Administrator role. LocalDomainAdmins and LocalDomainServers have this access by default.
  2. Configure the outgoing HTTPs port (443) on the CertMgr server. If the server connects to Let's Encrypt® servers through a proxy server, configure a proxy account in certstore.nsf. For more information, see Configuring CertMgr to connect through a proxy.
  3. Use the notes.ini setting HttpPublicURLs to configure the Web server for which the certificate is being requested to respond to HTTP requests on port 80 on the .well-known/acme-challenge/ URL:
    The following example uses the notes.ini setting HttpPublicURLs to define the .well-known/acme-challenge/ URL and to use an iNotes or Verse redirect login database: 
    HttpPublicURLs=/redir.nsf/*:/.well-known/acme-challenge/*
    Note: For this Early Access drop, redirecting HTTP (Port 80) to HTTPS (Port 443) is not supported.
  4. Enable the required DSAPI filter on the Web server for which the certificate is being requested:
    1. If using a Web Site document, click the Configuration tab. If using a Server document, click the Internet Protocols > HTTP tab.
    2. In the DSAPI section of the document, enter one of the following values in the DSAPI filter file names field.

      On Windows, enter ncertmgrdsapi.

      On Linux, enter certmgrdsapi.

  5. If the Web server for which the certificate is requested is not the Domino server making the request, complete these steps:
    1. Make sure the Web server has access to the Certificate Store (certstore.nsf) database on the Domino 12 server.
    2. Add the following notes.ini setting to the Web server to identity the Domino server making the request: 
      CertMgr_Server=<Domino12_servername>
      For example:
      CertMgr_Server=domino-v12/Srv/Renovations
  6. Restart the HTTP task on the Web server: 
    restart task http