Domino adding Trusted Roots for Java applications
Daniel Nashed – 11 February 2024 11:43:51
Domino has different places to store trusted roots depending on the part of the application.
Beginning with Domino 12.0.2 HCL started to consolidate root certificates into the new domain wide certstore.nsf.
But it will take some time to have all parts of Domino to use the new trusted roots back-end.
New callers like OIDC or CScan/ICAP and the certificate URL heath check already use the new back-end including UI integration.
JVM trusted roots cacerts overwritten by Domino update
Java still uses it's own cacerts file, which is part of the JVM directory. The file is only admin/root writable.
Domino release installers replace the cacerts file with the latest cacerts available.
But this overwrites custom certificates imported into cacarts.
This is a common problem I ran into twice in the last two weeks.
There is a technote describing how to import trusted roots.
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0035853
Listing trusted roots in JVM cacerts
But sometimes you also need to check which root certificates are listed in the current cacerts file.
The command to dump the certificates including some basic information about the certificates and the certificate in PEM format, the following command can be helpful.
This command is quite hidden and the -rfc option isn't really speaking.
d:\domino\jvm\bin\keytool.exe -list -rfc -storepass changeit -keystore d:\domino\jvm\lib\security\cacerts
This can be quite helpful for troubleshooting and also to build your own trust store with only the trusted roots you want to have included.
I hope in future the Domino JVM will introduce easier trusted root management.
For now I am thinking about adding a Domino container build option to add custom cacerts directly to the container build to avoid mapping them via a volume mount into a container.
- Comments [0]