With the stunning increase in security breaches and ongoing changes to regulations, Domino continues to provide a rock-solid, extremely secure platform to power your business. Today, I’m excited to share that with v12, we have a more secure and straight-forward way to implement TLS in Domino Server using “Let’s Encrypt.”  

Before getting into that, here’s a brief background about Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world’s largest certificate authority, used by millions of websites. 

To have a secured website, you need to have https enabled on the server. To enable https, we need a certificate from a certificate authority (CA). Let’s Encrypt is one such CA, which also uses advanced encryption techniques at zero cost. 

Prior to Domino v12, OpenSSL and kyrtool tools were used to enable HTTPS for webmail. With the latest version, the certmgr task is now used to perform the same without creating any kyr files. 

With Domino V12, the certstore.nsf database is used to create and generate TLS certificates using Let’s Encrypt. You can also import the certificates into the database to manage them. 

Main requirements include Domino v12 server and a valid DNS (A-record) which can be accessed by the internet. The certstore.nsf, created on the admin server with the certmgr task running on the admin server, will act as a web agent which interacts with the Lets Encrypt to generate the keys. Let’s Encrypt will verify the domain name that is requested and issue one or more sets of challenges to provide the certificate. 

From the Domino end, we must make sure that the DNS and port are accessible on the open internet to perform the challenges.

Below is a tutorial on creating a new certificate using Let’s Encrypt.

Prerequisite:

  • Domino V12 and above. 
  • a valid DNS nameA record 
  • Ports 80 and 443 should be open for access.

First, you need to have a certificate store database (certstore.nsf) – it will be created by default, or you can create the same using certstore.ntf. Make sure that the certificate store (certstore.nsf) is created on the admin server. Open the certificate store and you will see the existing TLS certificate details as shown below.

How to Secure Domino Using Certmgr Task

To generate a new TLS certificate, navigate to the certstore.nsf and select “Add TLS Certificate.”

You will be prompted with the window below where you will be providing the required details to create the certificate. 

How to Secure Domino Using Certmgr Task

You must provide the Host names (mostly your host server name). 

In this example, we set the ACME account as “LetsEncryptStaging”, a non-production server performing the challenges. 

You can either choose RSA or ECDSA based on your requirement. Based on your environment provide the certificate attributes.

How to Secure Domino Using Certmgr Task

Once the required attributes are provided, you can submit the request.

How to Secure Domino Using Certmgr Task

After the request is submitted, you can see the new certificate request in the database which is yet to be processed as shown below. 

How to Secure Domino Using Certmgr Task

The certmgr task will initiate the request and perform the challenges with the Let’s Encrypt server. 

How to Secure Domino Using Certmgr Task

If the challenges are performed and completed, you will see the status as below. 

How to Secure Domino Using Certmgr Task

Since you have used the staging account, you may receive a warning message as the certificate is self-signed as shown below. 

How to Secure Domino Using Certmgr Task

Now you need to perform the same on the production ACME server – edit the document and change the ACME Account to “LetsEncryptProduction” and submit the request.

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

You will see the status below and it should allow the certmgr to process the request. 

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

You can check the status in the database once the request is processed—the status should be green. 

If there is any error message or if any challenges failed, you will see the status as red. You can also verify the error message in the request. 

The processed request will be as shown below, where the status will be issued and valid as shown below. 

How to Secure Domino Using Certmgr Task

You can validate the certificate as shown below. 

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

By default, the certificates are valid for 3 months – and certmgr will automatically renew them before they expire. 

Here’s how they appear in Android and Apple mobile devices:  

How to Secure Domino Using Certmgr TaskHow to Secure Domino Using Certmgr Task

Leave us a comment if you would like to see more tutorials like these on our blogs!  

Comment wrap
Further Reading
article-img
Digital Solutions | November 16, 2022
HCL Domino 12.0.2 Delivers App Modernization, New Collaboration Tools and Enhanced Security
Domino 12.0.2 enables your business to run more efficiently and securely with significant enhancements for app development, collaboration, and simplified deployment. 
article-img
Digital Solutions | October 17, 2022
Important News for Domino Administrators
a preconfigured Domino Server container running the Nomad Server add-in. It's Domino running the Nomad add-in just like Traveler.  With this solution, your consumers hit the URL and are automatically running "Notes in a browser," which is what Nomad enables. 
article-img
Digital Solutions | July 28, 2022
Your HCL Domino Experience Is About to Get Even Better
The next HCL Domino “Danube” release is planned for November if you want to see and test drive the new features. Read here.
Close
Filters result by
Sort:
|