Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Introducing a Lab CA for testing

Daniel Nashed  29 December 2021 14:13:22

Image:Introducing a Lab CA for testing

Domino 12.0.1 CertMgr provides a MicroCA for testing. You can create any type of TLS web server certificate for any name.
The only restriction is that the private key cannot be exported and is recreated every time you renew the certificate.
It's designed as a very easy to use, simple small CA. But this is already pretty cool for internal test environments. You can even deploy the trusted root into your browsers.

A while ago I wrote a small CA as part of my nshcertool. It comes with a TLS enabled listener which can verify client certs.
I can run the CA as a free service on one of my servers just for test purposes. This would be helpful to play with the manual certificate request flow in CertMgr.

For the planned CertMgr & certificates workshop, I just wrote a small pre-delivery agent as an e-mail responder building an e-mail interface to the CA.
Sending a mail to a certain e-mail address with a certain subject and a CSR in the body will just reply with a certificate and intermediate CA cert.

This CA currently intended for lab use. So there is no verification for the requested certificate -- even I already query IP addresses, DNS names and client certs.
But it can be very helpful to understand certificate operations with CertMgr and provide exportable TLS certificates.

Would it make sense to provide this as a free service for the community for testing purposes?
This is even easier to handle than a HashiCrop CA ..

If I implemented it, would be an e-mail requester be sufficient?
Or would a REST based service be more helpful?

-- Daniel

No Comments Found



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]