Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino V12 using CertMgr for certificates used outside Domino

Daniel Nashed  3 May 2021 10:03:08

Domino V12 introduces the new CertMgr as most of you already know.

The focus was to implement all functionality that is needed inside Domino and to secure the private keys.

There is currently no way to export private keys. They are generated and encrypted for the CertMgr server and all servers which are selected to have access.

Exporting the keys also would help you to use the kyrtool to create kyr files for older servers.

You would just need to "
kyrtool import all -k keyfile.kyr -i all.pem".

What works today

So you can't export keys today. But you can import keys and this can help you to use the certificates and keys outside Domino.

Generating keys by CertMgr would be more comfortable. But you only have to create each key once.

All the certificate operations can be automated today -- including picking up the certificate and chain.

Step by Step

The -importpem functionality expects at least a key and a leaf certs.

So we create a dummy self signed cert for the key.

1. Create a private key and create a self singed

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 365 -out cert.pem

cat key.pem > all.pem

cat cert.pem >> all.pem

2. Import kyr into certstore.nsf

load certmgr -importpem all.pem

3. Use CertMgr to get a certificate

Now that you have the key imported and a dummy certificate, you can request a certificate the standard CertMgr way.

(note: the CN is currently not added to the document as a host name  -- fixed in GA -> today only SANs are added to the hostname).

Make sure your CertMgr server is listed in "Servers with access" so that the new certificate is automatically used.

4. Pickup the certificate chain

a.) You can copy the certificate chain from the TLS Credentials document.

b.) And you can even use an automated way leveraging CertMgr to pick up the certificate and chain.

If SNI is enabled, you could even pickup the cert, if the CertMgr server doesn't have DNS entry for this certificate.

The following command line can be used to get the full cert chain over HTTPS.

Private key that you already have + certificate chain will perfectly work on NGINX and can converted to P12 for ST.

openssl s_client -servername -showcerts -connect < /dev/null > /dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > chain.txt

The cool part is that as long the key stays the same, you can renew just use step 4 to pick up the changed cert  ;-)

So once you have copied the key you created to the remote machine, the certificate rollout and update can e automated..

I have my own OpenSSL based command-line tool written in C to do all kind of certificate operations (more my internal use Nash!Com tool for testing etc).

But this can be done also via shell script invoking openssl command-line as shown above.

-- Daniel



    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]