Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Dominno 12.0.1 Check TLS Certs are loaded into TLS Credential cache for a specific hostname

Daniel Nashed – 16 December 2021 23:53:37
There is a new function to show TLS Credentials, which is quite useful.
It's a small hidden gem that makes your life a bit easier if you have many TLS certs.

You can filer the output by the host name. The nice part of this functionality is that it takes into account wild card certificates.
The example below for "jupiter.csi-domino.com" matches 3 TLS credentials documents.

The host name option is documented in the server task help.
I just forgot about it and discovered it in a customer 12.0.1 feature update demo.


Note: I am using the key file tag to identify my TLS Credentials for export/import.
In most cases for SNI it is the best way to add the DNS name into the keyfile filed in the internet site.

A properly filled keyfile field is only required for the primary internet site.

- Either the site listing the IP address
- Or the default internet site for a server

All other internet sites map their TLS Credentials by DNS name in the hostname field and don't need a keyfile name specified.
In any case you should only use the keyfile name for mapping! Remove all kyr files from the server file-system once successfully imported into certstore.nsf to avoid expiered certs show up in future by surprise.

-- Daniel

-showCerts [host]              Show TLS Credentials configured for this server [Optionally specify a host name filter]
-showOCSP  [host]              Show OCSP status for certificates configured for this server [Optionally specify a host name filter]

lo certmgr -showcerts

Subject key identifier    Key info     Expiration   KeyFile/Tag            Host names (SANs)
------------------------------------------------------------------------------------------------------------------------------------------------------
30D8 7A17 9BA0 CA6E ...   RSA 4096      60,4 days   keyfile.kyr            *.nashcom.de nashcom.de
07BB 3F58 13D7 4322 ...   NIST P-256    60,4 days                          *.nashcom.de nashcom.de
4054 7282 65BC 23D5 ...   RSA 4096      36,5 days                          mail2.bücher.nashcom.de mail1.bücher.nashcom.de mailc.bücher.nashcom.de [+1]
C71F CF82 4508 E456 ...   RSA 4096      55,9 days   rsa_domino_lab_net     *.domino-lab.net
32BA 66E5 CC03 1E00 ...   NIST P-256    58,2 days                          *.csi-domino.com
CD47 55CF 76C3 E3CF ...   RSA 4096      58,3 days   wild-csi-rsa           *.csi-domino.com
19BB B3AA 5D90 7A6C ...   NIST P-256    63,6 days                          jupiter.csi-domino.com
FEE0 5F49 34F7 BEC0 ...   NIST P-256    61,0 days                          harbor.nashcom.de
18BF 5A97 1CD4 8CF0 ...   NIST P-256   144,9 days                          buypass.nashcom.de
B2B6 06E7 02A1 072A ...   NIST P-256    69,6 days   nashcom-org            *.nashcom.org nashcom.org
5080 A50A AF90 83F3 ...   NIST P-256    14,9 years                         cf.nashcom.org w3.nashcom.org
6F8B 693A 3679 86A8 ...   NIST P-256    60,7 days   client-ecdsa           client.domino-lab.net
634C C05E DC15 D18E ...   RSA 4096      74,6 days   client-rsa             client.domino-lab.net
C3FF 14A0 82AE 29B8 ...   RSA 4096      62,8 days   rsa-client-cert        rsa-client.domino-lab.net
8FB2 DFC5 BA2B FB26 ...   NIST P-256   345,7 days                          *.xyz.com *.bücher.com
1839 70A6 DF57 1E7D ...   NIST P-256    82,0 days                          *.nashcom.dedyn.io nashcom.dedyn.io
184E 7C29 4600 7E3C ...   NIST P-256    82,5 days                          *.domino.dedyn.io domino.dedyn.io
------------------------------------------------------------------------------------------------------------------------------------------------------
17 TLS Credentials


lo certmgr -showcerts jupiter.csi-domino.com

Subject key identifier    Key info     Expiration   KeyFile/Tag            Host names (SANs)
------------------------------------------------------------------------------------------------------------------------------------------------------
32BA 66E5 CC03 1E00 ...   NIST P-256    58,2 days                          *.csi-domino.com
CD47 55CF 76C3 E3CF ...   RSA 4096      58,3 days   wild-csi-rsa           *.csi-domino.com
19BB B3AA 5D90 7A6C ...   NIST P-256    63,6 days                          jupiter.csi-domino.com
------------------------------------------------------------------------------------------------------------------------------------------------------
3 TLS Credentials

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]