This blog presents the Q&A from the June OpenNTF webinar on the new Domino V12 Certificate Manager. Again we thank Daniel for providing more detail on this interesting topic.
| Q |
Will Wildcard Domain Certs be supported? |
| A |
Yes. This was shown in the presentation on slide 23. |
| Q |
No wildcards with LetsEncrypt, right? |
| A |
Wild card certs are supported with DNS-01 challenges |
| Q |
Will other DNS providers be supported for * certs? EG GoDaddy would be great |
| A |
Wilcard certificates require DNS-01 challenges. This means you need DNS TXT record integration for your DNS provider. We have not looked into GoDaddy but a couple of others you find in the GitHub repo announced and referenced in the presentation. If your provided supports a REST interface, a new DNS provider configuration is very straightforward with HTTP integration. |
| Q |
Is certsvr automatically enabled in notes.ini after you upgrade? |
| A |
No. By design the admin has to load it on the server which should become the CertMgr server in the domain. And add it to the notes.ini or preferred as a startup program doc. |
| Q |
CertMgr database created by default when we build or upgrade server to V12? |
| A |
Certstore.nsf is a domain wide replica first created on the CertMgr server when the task is started the first time. On each additional server a replica is automatically created from the CertMgr server when the CertMgr servertask is started. |
| Q |
Must the cert mgr database be created by a command line action? Can I create one like a 'normal' Notes database? |
| A |
You should let CertMgr create the database, because only CertMgr can make it a Domain replica. Replicas on other servers can be created using standard replication. |
| Q |
What support is there for developers to make use of this new security configuration? |
| A |
Certificates are there for anyone to use on the Domino server. They will be automatically used and developers can leverage them for their server. The new certificate manager is an infrastructure component helping admins and developers to get certificates created much easier. |
| Q |
Does the new cert manager replace the need for OpenSSL? |
| A |
Private keys and CSRs are automatically created by CertMgr with both the ACME and manual flows. Importing certificates from external sources will use PEM formatted flows which are fully integrated as demoed. You might only need OpenSSL to convert from other formats to PEM today. PKCS12 (*.p12 / *.pfx) format including password support is high on the community wishlist for V12.0.1. |
| Q |
During the presentation you showed how you were able to display debug information on the console. Can you share what debug settings you used? |
| A |
Debug settings are all listed in the last part of the presentation which may be downloaded from the link on the OpenNTF Webinars page. |
| Q |
Are SAN certificates supported? |
| A |
Absolutely. Up to 20 SANs per certificate are officially supported. The TLS Cache provides the logic to find out the right certificate for you. *Note: this question was answered in during the webinar and contains much more detail regarding the background. You are encouraged to review the video. |
| Q |
Please confirm that an "AIX-only" or "System i-only" customer would need to spin up at least one Windows or Linux based Domino server in order to benefit from the new CertMgr functionality. |
| A |
Yes, CertMgr itself is only available on W64 and Linux64. But you can leverage certificates created with CertMgr on AIX and OS400. The TLS Cache is implemented on all platforms. Note that OS400 does not support ECDSA crypto. |
| Q |
So you need to paste in the server certificate after the trusted root has been added to certstore, i.e. the certstore app wouldn't go back and update the status of the existing TLS credentials document from yellow to green? |
| A |
Yes the current implementation has no way to go back and recheck the certificate chain. This looks like an enhancement idea for the AHA protal. |
| Q |
Can we delete .kyr files from disk , after it's loaded in the KYR cache? |
| A |
Yes. CertMgr does not delete kyr files automatically because it is your data. But once imported you should remove them from disk, because they are not having the same protection level introduced with cerstore.nsf. Note: you should keep a copy of the kyr files, because you can’t export private keys from cerstore.nsf as discussed in the webinar and explained in the slide deck. |
| Q |
How is a server instructed to use certstore instead of kyr? |
| A |
Once a cerstore.nsf is created on a server internet servertask will automatically use cerstore.nsf. they will need a one time restart. If kyr files are not uploaded to certstore.nsf they can be still served using the classic kyr file cache which remains enabled for compatibility reasons out of the box. The notes.ini parameter to disable the kyr cache is listed in the presentation slides. |
| Q |
So when I run certmgr the first time, my kyr is immediately disabled and my web site will be down until I can get certstore configured with LetsEncrypt? |
| A |
No. The old and the new cache are working at the same time. The new TLS Cache will be checked first if available. With a fallback to the old cache if no TLS Credentials entry matches and no default is configured. The old kyr cache has limited lookup functionality and does not support SAN lookup for example for wildcards. |
| Q |
Can kyr/sth files be be exported and placed on a pre v12 server? |
| A |
No export is currently implemented for security reasons as discussed in the webinar. |
| Q |
Not sure I understood a comment on the keyfile.kyr. Once kyr files are imported, or say we've "migrated" from LE4D, are the kyr/sth files even used anymore? With everthing in cache, it sounds like they are just old clutter now. Yes? |
| A |
Certstore.nsf is always checked first. See one of the previous questions for details. |
| Q |
We already configured and using "Let's Encrypt 4 Domino". What could be a reason to switch to this "similar" system? |
| A |
CertMgr is fully integrated into Domino and offers functionality only a native Domino application can provide. For example integration into internet servertasks with a new TLS cache. Also it supports the full range of ACME flows and provides a flexible DNS provider interface. |
| Q |
I'm trying to understand the use case. Do I need this for a "traditional" Domino setup with only Notes clients accessing a Domino server? Is this only needed if I want to allow web/browser users to access a Domino server via https? |
| A |
Yes. TLS Credentials (x.509 certs) are only required for internet protocols like HTTPS. Notes Clients use NRPC leveraging Notes.IDs |
| Q |
Can V12 on IBM i utilize certificate management certs? |
| A |
Certificates created via CertMgr on Win64 or Linux can be used on OS400 with Domino V12. Once you replicated the certstore.nsf database, the TLS cache will be able to use the TLS Credentials. |
| Q |
How do we "enable" ECDSA? |
| A |
There is nothing to enable from a configuration point of view. Once you created ECDSA keys/certificates Domino V12 automatically uses them. You can use RSA and ECDSA keys at the same time. See the slides and the detailed information in the webinar for details. The RSA key should have the keyfile.kyr name specified to ensure requests for older clients always use the RSA key. Modern clients using SNI requests would always get the ECDSA key by default for HTTPS. |
| Q |
Does the CertMgr and certstore.nsf work in clustered environment? |
| A |
Yes there is basic support for clustering. But there is no high availability for CertMgr functionality similar to a Domino Admin server is only available once without a cluster option. |
| Q |
If you cannot allow unauthenticated port 80 traffic, can you use these providers via the manual CSR based process? |
| A |
If a provider supports a CSR flow you can use them. But Let’s Encrypt only supports automated processing. If HTTP-01 challenges are not possible, maybe DNS-01 challenges are an option which only need an outbound connection. |
| Q |
It would appear that the -MIGRATETOSERVER option requires that the servers share the directory, how do you migrate to a completely new domain? |
| A |
You would need to copy the server document from the new domain to the existing domain to allow CertMgr to re-encrypt the private keys. |
| Q |
Can the certificates be exported for use with other apps ( like apache )? |
| A |
There is no export in V12.0. As discussed in the webinar this is high on the list according to HCL. There are work-arounds described in the webinar to import a private key and just merge certificates created via CertMgr. |
| Q |
Alternatively, could the cert mgr import certificates on a schedule ( use existing certificate on OS ) |
| A |
There is currently no automation. However the same operations a manual flow could use, can be automated via agents. You just can’t import or export any private keys. As long as the integration is for certificates and CSRs it will work. |
| Q |
Why are there no video tutorials from HCL on YouTube like others provide? |
| A |
Visit the HCL Digital Solutions Academy for more information and video tutorials. There are already numerous videos. Since V12 launched just a few days ago, this is the first presentation on the topic.
In addition this webinar was the first official detailed feature presentation for the new Domino V12 certificate functionality from OpenNTF, and the academy presented by an HCL Lifetime Ambassador. You can expect more material including more material in the GitHub repository based on your feedback. |