With the stunning increase in security breaches and ongoing changes to regulations, Domino continues to provide a rock-solid, extremely secure platform to power your business. Today, I’m excited to share that with v12, we have a more secure and straight-forward way to implement TLS in Domino Server using “Let’s Encrypt.”  

Before getting into that, here’s a brief background about Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world’s largest certificate authority, used by millions of websites. 

To have a secured website, you need to have https enabled on the server. To enable https, we need a certificate from a certificate authority (CA). Let’s Encrypt is one such CA, which also uses advanced encryption techniques at zero cost. 

Prior to Domino v12, OpenSSL and kyrtool tools were used to enable HTTPS for webmail. With the latest version, the certmgr task is now used to perform the same without creating any kyr files. 

With Domino V12, the certstore.nsf database is used to create and generate TLS certificates using Let’s Encrypt. You can also import the certificates into the database to manage them. 

Main requirements include Domino v12 server and a valid DNS (A-record) which can be accessed by the internet. The certstore.nsf, created on the admin server with the certmgr task running on the admin server, will act as a web agent which interacts with the Lets Encrypt to generate the keys. Let’s Encrypt will verify the domain name that is requested and issue one or more sets of challenges to provide the certificate. 

From the Domino end, we must make sure that the DNS and port are accessible on the open internet to perform the challenges.

Below is a tutorial on creating a new certificate using Let’s Encrypt.

Prerequisite:

  • Domino V12 and above. 
  • a valid DNS nameA record 
  • Ports 80 and 443 should be open for access.

First, you need to have a certificate store database (certstore.nsf) – it will be created by default, or you can create the same using certstore.ntf. Make sure that the certificate store (certstore.nsf) is created on the admin server. Open the certificate store and you will see the existing TLS certificate details as shown below.

To generate a new TLS certificate, navigate to the certstore.nsf and select “Add TLS Certificate.”

You will be prompted with the window below where you will be providing the required details to create the certificate. 

You must provide the Host names (mostly your host server name). 

In this example, we set the ACME account as “LetsEncryptStaging”, a non-production server performing the challenges. 

You can either choose RSA or ECDSA based on your requirement. Based on your environment provide the certificate attributes.

Once the required attributes are provided, you can submit the request.

After the request is submitted, you can see the new certificate request in the database which is yet to be processed as shown below. 

The certmgr task will initiate the request and perform the challenges with the Let’s Encrypt server. 

If the challenges are performed and completed, you will see the status as below. 

Since you have used the staging account, you may receive a warning message as the certificate is self-signed as shown below. 

Now you need to perform the same on the production ACME server – edit the document and change the ACME Account to “LetsEncryptProduction” and submit the request.

You will see the status below and it should allow the certmgr to process the request. 

You can check the status in the database once the request is processed—the status should be green. 

If there is any error message or if any challenges failed, you will see the status as red. You can also verify the error message in the request. 

The processed request will be as shown below, where the status will be issued and valid as shown below. 

You can validate the certificate as shown below. 

By default, the certificates are valid for 3 months – and certmgr will automatically renew them before they expire. 

Here’s how they appear in Android and Apple mobile devices:  

Leave us a comment if you would like to see more tutorials like these on our blogs!  

Comment wrap
Further Reading
article-img
Digital Solutions | May 17, 2022
What Do My Kitchen, Bruce Willis, and Microsoft Power Platform Have in Common? (And Why You Need HCL Domino.)
About three weeks ago, my entire new and expensive kitchen went dark. I gave my wife a confident smile, said, "I got this," and went to the basement to flip a few breakers.
article-img
Digital Solutions | April 11, 2022
1-2-3: Free Your Apps with the New Releases of HCL Nomad
Not one, not two, but three new releases of HCL Nomad in just one week! This is a new track record delivered by our development teams op lease our customers.
article-img
Digital Solutions | February 17, 2022
How Domino v12 Improves an Administrator’s Life
As someone who has spent almost 28 years working around HCL Notes and Domino administration, my mind was blown with the number of new features that were delivered when v12 shipped in May of 2021. 
Close
Filters result by
Sort:
|