SPR #DNADDMUMFD: Certstore import fails with certificates with email or IP SANs
Daniel Nashed – 25 January 2026 16:22:46
SPR #DNADDMUMFD: Certstore import fails with certificates with email or IP SANs
Domino CertMgr only leverages DNS SAN attributes when generating CSRs in manual flow and for ACME (Let's Encrypt & Co).
But when importing the certificate can have different type of SANs (Subject Alternative Name).
- The email attribute isn't intended for web servers and causes certstore.nsf to show an error in the UI because an e-mail address is not a proper DNS name.
- IP addresses could be used for web servers in general. But Domino does not leverage IP SANs.
The parsing of IP addresses currently fails and causes "garbage" added to the host name field and sets the status of the certificate to invalid.
Christian pinged me about this issue and reported he was able to manually change the host name field and to change the status of the TLS credentials document to make it load.
I would generally not use e-mail addresses for SANs for web servers (they can be still part of the CN).
For now avoid also IP addresses until the SPR is fixed.
The issue wasn't customer reported since this week (thanks Christian).
I found it a while ago and it got fixed 14.5.1 (planned to ship 2026/3).
The fix will only read DNS SANs for imported certificates (see blue text in example below).
The certificate itself stays unchanged and works as it is.
openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
43:2d:87:c4:a2:ea:a8:e5:df:69:13:16:5d:86:89:f0:7a:9b:b0:37
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = example.com
Validity
Not Before: Jan 25 15:40:55 2026 GMT
Not After : Apr 29 15:40:55 2028 GMT
Subject: CN = example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:c7:45:2b:81:97:aa:93:1f:eb:03:c5:86:07:5e:
27:65:a5:0f:72:f8:30:7a:b2:8b:91:ea:f2:7f:9d:
02:be:fe:6e:dd:f2:a6:13:fe:42:f9:b5:7a:5a:b2:
e5:34:c0:64:e7:b9:0d:64:9d:34:38:2e:b2:2e:69:
8a:0a:e7:ce:6c
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
43:E9:3E:38:65:B4:8A:C9:82:FB:CB:FA:34:0C:75:36:C4:E0:AE:02
X509v3 Authority Key Identifier:
43:E9:3E:38:65:B4:8A:C9:82:FB:CB:FA:34:0C:75:36:C4:E0:AE:02
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, IP Address:192.168.1.10, email:admin@example.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:04:9c:63:f0:ce:b5:5f:ae:15:b9:8f:34:6b:35:
63:f2:e6:34:08:76:4f:3c:44:61:b0:ee:60:9d:2e:5b:e4:5f:
02:21:00:d3:a6:04:ee:90:df:cc:75:ba:5a:84:24:6d:53:70:
ba:ab:81:a5:cc:de:5c:0c:43:31:71:df:a7:5b:d6:cd:1e
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}