Configuring Domino server to request a certificate
After you've run Certificate Manager (CertMgr) to create the Certificate Store (certstore.nsf), prepare the HCL Domino® server to request a certificate.
About this task
Procedure
- Review the Certificate Store (certstore.nsf) ACL. Administrators and Domino servers in the domain require Manager access and the Administrator role. LocalDomainAdmins and LocalDomainServers have this access by default.
- Configure the outgoing HTTPs port (443) on the CertMgr server. If the server connects to Let's Encrypt® servers through a proxy server, configure a proxy account in certstore.nsf. For more information, see Configuring CertMgr to connect through a proxy.
-
Use the notes.ini setting HttpPublicURLs to configure the Web server for which
the certificate is being requested to respond to HTTP requests on port 80 on the
.well-known/acme-challenge/
URL:The following example uses the notes.ini setting HttpPublicURLs to define the .well-known/acme-challenge/ URL and to use an iNotes or Verse redirect login database:HttpPublicURLs=/redir.nsf/*:/.well-known/acme-challenge/*
Note: For this Early Access drop, redirecting HTTP (Port 80) to HTTPS (Port 443) is not supported. -
Enable the required DSAPI filter on the Web server for which the certificate is
being requested:
- If using a Web Site document, click the Configuration tab. If using a Server document, click the Internet Protocols > HTTP tab.
-
In the DSAPI section of the document, enter one
of the following values in the DSAPI filter file
names field.
On Windows, enter ncertmgrdsapi.
On Linux, enter certmgrdsapi.
-
If the Web server for which the certificate is requested is not the Domino
server making the request, complete these steps:
- Make sure the Web server has access to the Certificate Store (certstore.nsf) database on the Domino 12 server.
-
Add the following notes.ini setting to the Web server to identity the
Domino server making the request:
For example:CertMgr_Server=<Domino12_servername>
CertMgr_Server=domino-v12/Srv/Renovations
-
Restart the HTTP task on the Web server:
restart task http