Close
Select Page

With the stunning increase in security breaches and ongoing changes to regulations, Domino continues to provide a rock-solid, extremely secure platform to power your business. Today, I’m excited to share that with v12, we have a more secure and straight-forward way to implement TLS in Domino Server using “Let’s Encrypt.”  

Before getting into that, here’s a brief background about Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world’s largest certificate authority, used by millions of websites. 

To have a secured website, you need to have https enabled on the server. To enable https, we need a certificate from a certificate authority (CA). Let’s Encrypt is one such CA, which also uses advanced encryption techniques at zero cost. 

Prior to Domino v12, OpenSSL and kyrtool tools were used to enable HTTPS for webmail. With the latest version, the certmgr task is now used to perform the same without creating any kyr files. 

With Domino V12, the certstore.nsf database is used to create and generate TLS certificates using Let’s Encrypt. You can also import the certificates into the database to manage them. 

Main requirements include Domino v12 server and a valid DNS (A-record) which can be accessed by the internet. The certstore.nsf, created on the admin server with the certmgr task running on the admin server, will act as a web agent which interacts with the Lets Encrypt to generate the keys. Let’s Encrypt will verify the domain name that is requested and issue one or more sets of challenges to provide the certificate. 

From the Domino end, we must make sure that the DNS and port are accessible on the open internet to perform the challenges.

Below is a tutorial on creating a new certificate using Let’s Encrypt.

Prerequisite:

  • Domino V12 and above. 
  • a valid DNS nameA record 
  • Ports 80 and 443 should be open for access.

First, you need to have a certificate store database (certstore.nsf) – it will be created by default, or you can create the same using certstore.ntf. Make sure that the certificate store (certstore.nsf) is created on the admin server. Open the certificate store and you will see the existing TLS certificate details as shown below.

How to Secure Domino Using Certmgr Task

To generate a new TLS certificate, navigate to the certstore.nsf and select “Add TLS Certificate.”

You will be prompted with the window below where you will be providing the required details to create the certificate. 

How to Secure Domino Using Certmgr Task

You must provide the Host names (mostly your host server name). 

In this example, we set the ACME account as “LetsEncryptStaging”, a non-production server performing the challenges. 

You can either choose RSA or ECDSA based on your requirement. Based on your environment provide the certificate attributes.

How to Secure Domino Using Certmgr Task

Once the required attributes are provided, you can submit the request.

How to Secure Domino Using Certmgr Task

After the request is submitted, you can see the new certificate request in the database which is yet to be processed as shown below. 

How to Secure Domino Using Certmgr Task

The certmgr task will initiate the request and perform the challenges with the Let’s Encrypt server. 

How to Secure Domino Using Certmgr Task

If the challenges are performed and completed, you will see the status as below. 

How to Secure Domino Using Certmgr Task

Since you have used the staging account, you may receive a warning message as the certificate is self-signed as shown below. 

How to Secure Domino Using Certmgr Task

Now you need to perform the same on the production ACME server – edit the document and change the ACME Account to “LetsEncryptProduction” and submit the request.

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

You will see the status below and it should allow the certmgr to process the request. 

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

You can check the status in the database once the request is processed—the status should be green. 

If there is any error message or if any challenges failed, you will see the status as red. You can also verify the error message in the request. 

The processed request will be as shown below, where the status will be issued and valid as shown below. 

How to Secure Domino Using Certmgr Task

You can validate the certificate as shown below. 

How to Secure Domino Using Certmgr Task

How to Secure Domino Using Certmgr Task

By default, the certificates are valid for 3 months – and certmgr will automatically renew them before they expire. 

Here’s how they appear in Android and Apple mobile devices:  

How to Secure Domino Using Certmgr TaskHow to Secure Domino Using Certmgr Task

Leave us a comment if you would like to see more tutorials like these on our blogs!  

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  December 7, 2023
Unlocking Innovation - Explore the Power of HCL Domino v14
The latest milestone in collaboration technology is here! Stop in to see what HCL Domino v14 can bring to your digital transformation journey.
  |  July 28, 2023
HCL Domino v12 Associate Admin Certification is NOW AVAILABLE!
The HCLSoftware Certified Associate Administrator for Notes and Domino 12 should be able to demonstrate skills associated with planning, installing, and expanding the Domino Infrastructure.
  |  April 28, 2023
How to Continue Working From Anywhere - and Grow Your Business
Employees want the ability to work from anywhere — their mobile phone, their kitchen table, or the company’s physical office. Flexibility is now key for hiring and retaining talent.