Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino 12.0.1 One-Touch setup supports MicroCA and import existing certs

Daniel Nashed – 29 December 2021 15:35:50

Did you notice already that the One-Touch setup supports importing TLS Credentials for a first server setup?

You can pass a *.kyr file, a PKCS#12 (*.p12, *.pfx) or *.pem file.
The files can even have a password and you can mark the resulting TLS Credentials file for export with a new password!

So the full import functionality added in Domino 12.0.1 CertMgr UI is exposed in One-Touch setup for ENV variable and JSON formatted setup!

Below you find some easy examples. Refer to the documentation for a full list of parameters --> https://help.hcltechsw.com/domino/12.0.0/admin/inst_onetouch.html

To create a new MicroCA for your first server setup, only one parameter is required.
All other options have reasonable defaults. For example CA name is derived from you organization name.

Create a new MicroCA

SERVERSETUP_SECURITY_TLSSETUP_METHOD=dominoMicroCA

The shortest configuration for importing a PEM file instead are the follwing two settings.

Import an existing TLS certificate

SERVERSETUP_SECURITY_TLSSETUP_METHOD=import
SERVERSETUP_SECURITY_TLSSETUP_IMPORTFILEPATH=harbor.pem

That's a pretty slick way to configure a TLS Credentials entry for your first server.
The first server automatically creates the Domain wide certstore.nsf and assigns the first server as the CertMgr server.

For additional server the CertMgr can be used to create TLS Credentials.

Enabling the new TLS Cache on an additional server just requires loading the certmgr task to automatically pull a certstore.nsf replica.
Once the certstore.nsf database is present all internet processes will automatically use the new TLS Cache.


The One-Touch Certfificate Store integration was the missing logical link for automated setup.

-- Daniel


JSON configuration example

The same functionality is also available via Environment variables


   "security": {
    "ACL": {
      "prohibitAnonymousAccess": true,
      "addLocalDomainAdmins": true
    },
    "TLSSetup": {
      "method": "import",
      "retainImportFile": true,
      "importFilePath": "wildcard_nashcom_org.pem",
      "exportPassword": "Super42Secret007Password4KeyFile"
    }
  }

----------------------

    "security": {
    "ACL": {
      "prohibitAnonymousAccess": true,
      "addLocalDomainAdmins": true
    },
    "TLSSetup": {
      "method": "dominoMicroCA",
      "CADisplayName": "Demo CA",
      "CAOrgName": "NotesLab",
      "CAKeyType": "ECDSA",
      "CAExpirationDays": 1096,
      "orgName": "NotesLab",
      "TLSKeyType": "RSA2048",
      "certExpirationDays": 120
    }
  }

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]