You Are One Quarter Cup Of Coffee Away From SSL/TLS With Domino 12

    Robert Baehr  September 27 2021 04:56:59 AM

    My SSL/TLS Certificates were due to expire, so I thought - what the heck - let's try the new CertMgr feature of Domino 12.  I mean, what could possibly go wrong?

    Answer:  Nothing!  

    In case you haven't read about it yet, Domino 12 includes full integration with (and a lot of automation to) the Let's Encrypt free SSL/TLS certificate authority.  

    I decided to start off with a cup of coffee - a little cream - a dash of splenda - and the Domino Administrator help database.

    After a quick NOTES.INI modification, and server restart, I entered the CertMgr.nsf database on my server.   After completing two simple forms, and submitting my request, I was amazed that the SSL/TLS certificates that I requested were fully operational.   I mean, I barely got to sip my coffee before the process was completed.

    No KYR - no STH files to deal with.  No KYRTOOL and OpenSSL tools needed.    No copy - no paste - no "retrieve certificate" needed.

    Thank you, HCL, for taking a cumbersome process and making it easy.   It's the little things.....

    Now, where's the rest of that hot coffee?

    Bob Baehr
    The Unofficial Poster Child for Notes and Domino.


    1Daniel Nashed  9/27/2021 6:22:51 AM  You Are One Quarter Cup Of Coffee Away From SSL/TLS With Domino 12

    Great it worked for your out of the box! IMHO this isn't a "little thing".

    It has been a major shift from the old legacy on disk KYR file format to a modern UI in a domain wide database to maintain and distribute X.509 web server certs for all your servers.

    This also includes a very easy to use manual flow to create CSRs and also to import the returned certificates.

    The flow allows to paste certificates in any order and also auto completes chains if the trusted roots are in the database.

    With 12.0.1 there will be full export and import for PEM, PKCS12 and KYR (only import).

    And if you are looking for wild card Let's Encrypt support there is an own interface for DNS-01 challenge support via DNS TXT API integrations.

    It is complemented with a completely new TLS Cache which detects and reloads TLS Credentials and allows to use RSA/ECDSA keys with multiple SANs and also wild-card lookups.

    If you are looking for details check this blog post and presentation -->

    -- Daniel