Certificate Lifetimes Are Shrinking — Is Your Domino Infrastructure Ready?
Daniel Nashed – 30 March 2026 21:24:07
Certificate maximum lifetimes dropped to 200 days in March 2026 and will reach 47 days by 2029.
At that frequency, manual renewal becomes operationally impossible. HCL Domino CertMgr automates issuance and renewal end-to-end.
This includes certificate rollover and also key rollover -- which is as important as rolling over certificates and often overlooked in current discussions.
For everything outside Domino — NGINX, load balancers, and other services — there is a need for automated certificate management.
Rotating the private key on every renewal cycle is the part most deployments have not solved yet.
Here is a longer document I wrote up for one of the projects with additional details:
https://github.com/nashcom/srvguard/blob/main/docs/certificate-lifetime-reduction.md
This initiative started last week. The timing is not a coincident. It's in time for my Engage presentation and the latest changes for certificate lifetime.
When HCL introduced CertMgr in Domino 12.0 most of the feature we have today have been already present.
Domino 12.0.1 introduced export / import which might be helpful for automation.
CertMgr and certstore.nsf are built on open standards and importing certificates/keys and handling CSRs for an automated flow are straightforward to implement on Domino CertMgr side.
The challenge is most time the CA side. My previous post shows a straightforward HashiCorp configuration using ACME as the protocol.
But there are also other easy to use ways to integrate with modern CAs.
There is more to come. But I want to keep also some news for my conference session.
If you are curious what is coming you can take a look at the referenced projects.
-- Daniel
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}