Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Domino 12.0.1 One-Touch setup supports MicroCA and import existing certs

Daniel Nashed  29 December 2021 15:35:50

Did you notice already that the One-Touch setup supports importing TLS Credentials for a first server setup?

You can pass a *.kyr file, a PKCS#12 (*.p12, *.pfx) or *.pem file.
The files can even have a password and you can mark the resulting TLS Credentials file for export with a new password!

So the full import functionality added in Domino 12.0.1 CertMgr UI is exposed in One-Touch setup for ENV variable and JSON formatted setup!

Below you find some easy examples. Refer to the documentation for a full list of parameters -->

To create a new MicroCA for your first server setup, only one parameter is required.
All other options have reasonable defaults. For example CA name is derived from you organization name.

Create a new MicroCA


The shortest configuration for importing a PEM file instead are the follwing two settings.

Import an existing TLS certificate


That's a pretty slick way to configure a TLS Credentials entry for your first server.
The first server automatically creates the Domain wide certstore.nsf and assigns the first server as the CertMgr server.

For additional server the CertMgr can be used to create TLS Credentials.

Enabling the new TLS Cache on an additional server just requires loading the certmgr task to automatically pull a certstore.nsf replica.
Once the certstore.nsf database is present all internet processes will automatically use the new TLS Cache.

The One-Touch Certfificate Store integration was the missing logical link for automated setup.

-- Daniel

JSON configuration example

The same functionality is also available via Environment variables

   "security": {
    "ACL": {
      "prohibitAnonymousAccess": true,
      "addLocalDomainAdmins": true
    "TLSSetup": {
      "method": "import",
      "retainImportFile": true,
      "importFilePath": "wildcard_nashcom_org.pem",
      "exportPassword": "Super42Secret007Password4KeyFile"


    "security": {
    "ACL": {
      "prohibitAnonymousAccess": true,
      "addLocalDomainAdmins": true
    "TLSSetup": {
      "method": "dominoMicroCA",
      "CADisplayName": "Demo CA",
      "CAOrgName": "NotesLab",
      "CAKeyType": "ECDSA",
      "CAExpirationDays": 1096,
      "orgName": "NotesLab",
      "TLSKeyType": "RSA2048",
      "certExpirationDays": 120

No Comments Found



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]