Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Adding trusted roots to Domino containers

Daniel Nashed – 5 April 2025 10:04:29
Linux and Domino comes with a good set of public trusted certs.
But in corporate environment you often have to add your own trusted root for a corporate CA.


This starts with Linux which needs certificates to validate repository servers and other resources.


Domino trusted roots


But also within Domino there are are trust stores which need might need central management.

Domino Directory Trusted roots, certstore.nsf Trusted roots can be easily centrally updated.


But the following two trust stores are more difficult to manage:


  • /local/notesdata/cacert.pem used for HTTP Requests in Lotus Script and other backend code using curl
  • Domino JVM trust store used by Java

the cacert.pem file could be written by an agent.
But the JVM trusted roots are located in the binary directory, which is write protected.


The following document describes how this functionality works


https://opensource.hcltechsw.com/domino-container/reference_custom_roots/

For feedback please open a GitHub issue in the project instead of comments to this blog post


-- Daniel

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]