Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

Importing trusted MicroCA Roots for a Nomad Lab environment

Daniel Nashed – 25 May 2023 07:27:30

Yesterday I worked on a lab configuration based on Windows Sandbox, Domino and Nomad Web.
The biggest challenge is to have a trusted certificate for Nomad Web.

Nomad Server running with the Micro CA

A Nomad Server can use Domino CertMgr Micro CA Certs. But the root is not trusted in your browser.

I took a closer look and came up with a simple solution. which makes the import dramatically easier.

No more searching for the right trust store and handling PEM files manually.

Programmatically importing the Micro CA root

The first command downloads the certificate chain for your Nomad server into a PEM file.
It's using the keytool from Java, which you have already installed, when installing Domino.
The Windows Sandbox does not have the OpenSSL command line installed by default.

The loop below extracts the root certificate from the chain, because the tool to import the root can only handle a single certificate a a time.

And finally the third command imports the MicroCA trusted root into the "root" key Store.

Microsoft Edge and also Google Chrome can immediately use it.

This will be a component in other scripts you see in future. And this might be also useful for your own deployments.

-- Daniel

c:\domino\bin\jvm\bin\keytool.exe -printcert -rfc -sslserver > cert.pem

for /f "tokens=*" %%a in (cert.pem) do (
  if "%%a" == "-----BEGIN CERTIFICATE-----" echo > root.pem
  echo %%a >> root.pem
certutil.exe -addstore -f root root.pem



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]