Dominno 12.0.1 Check TLS Certs are loaded into TLS Credential cache for a specific hostname
Daniel Nashed – 16 December 2021 23:53:37
There is a new function to show TLS Credentials, which is quite useful. It's a small hidden gem that makes your life a bit easier if you have many TLS certs.
You can filer the output by the host name. The nice part of this functionality is that it takes into account wild card certificates.
The example below for "jupiter.csi-domino.com" matches 3 TLS credentials documents.
The host name option is documented in the server task help.
I just forgot about it and discovered it in a customer 12.0.1 feature update demo.
Note: I am using the key file tag to identify my TLS Credentials for export/import.
In most cases for SNI it is the best way to add the DNS name into the keyfile filed in the internet site.
A properly filled keyfile field is only required for the primary internet site.
- Either the site listing the IP address
- Or the default internet site for a server
All other internet sites map their TLS Credentials by DNS name in the hostname field and don't need a keyfile name specified.
In any case you should only use the keyfile name for mapping! Remove all kyr files from the server file-system once successfully imported into certstore.nsf to avoid expiered certs show up in future by surprise.
-- Daniel
-showCerts [host] Show TLS Credentials configured for this server [Optionally specify a host name filter]
-showOCSP [host] Show OCSP status for certificates configured for this server [Optionally specify a host name filter]
lo certmgr -showcerts
Subject key identifier Key info Expiration KeyFile/Tag Host names (SANs)
------------------------------------------------------------------------------------------------------------------------------------------------------
30D8 7A17 9BA0 CA6E ... RSA 4096 60,4 days keyfile.kyr *.nashcom.de nashcom.de
07BB 3F58 13D7 4322 ... NIST P-256 60,4 days *.nashcom.de nashcom.de
4054 7282 65BC 23D5 ... RSA 4096 36,5 days mail2.bücher.nashcom.de mail1.bücher.nashcom.de mailc.bücher.nashcom.de [+1]
C71F CF82 4508 E456 ... RSA 4096 55,9 days rsa_domino_lab_net *.domino-lab.net
32BA 66E5 CC03 1E00 ... NIST P-256 58,2 days *.csi-domino.com
CD47 55CF 76C3 E3CF ... RSA 4096 58,3 days wild-csi-rsa *.csi-domino.com
19BB B3AA 5D90 7A6C ... NIST P-256 63,6 days jupiter.csi-domino.com
FEE0 5F49 34F7 BEC0 ... NIST P-256 61,0 days harbor.nashcom.de
18BF 5A97 1CD4 8CF0 ... NIST P-256 144,9 days buypass.nashcom.de
B2B6 06E7 02A1 072A ... NIST P-256 69,6 days nashcom-org *.nashcom.org nashcom.org
5080 A50A AF90 83F3 ... NIST P-256 14,9 years cf.nashcom.org w3.nashcom.org
6F8B 693A 3679 86A8 ... NIST P-256 60,7 days client-ecdsa client.domino-lab.net
634C C05E DC15 D18E ... RSA 4096 74,6 days client-rsa client.domino-lab.net
C3FF 14A0 82AE 29B8 ... RSA 4096 62,8 days rsa-client-cert rsa-client.domino-lab.net
8FB2 DFC5 BA2B FB26 ... NIST P-256 345,7 days *.xyz.com *.bücher.com
1839 70A6 DF57 1E7D ... NIST P-256 82,0 days *.nashcom.dedyn.io nashcom.dedyn.io
184E 7C29 4600 7E3C ... NIST P-256 82,5 days *.domino.dedyn.io domino.dedyn.io
------------------------------------------------------------------------------------------------------------------------------------------------------
17 TLS Credentials
lo certmgr -showcerts jupiter.csi-domino.com
Subject key identifier Key info Expiration KeyFile/Tag Host names (SANs)
------------------------------------------------------------------------------------------------------------------------------------------------------
32BA 66E5 CC03 1E00 ... NIST P-256 58,2 days *.csi-domino.com
CD47 55CF 76C3 E3CF ... RSA 4096 58,3 days wild-csi-rsa *.csi-domino.com
19BB B3AA 5D90 7A6C ... NIST P-256 63,6 days jupiter.csi-domino.com
------------------------------------------------------------------------------------------------------------------------------------------------------
3 TLS Credentials
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}