Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Already Exists
Workspace Domino
Categories Security
Created by Guest
Created on Feb 6, 2023

Create Certificate Signing Request (CSR) via CertMgr command line

Certificate Manager allows for the creation of a CSR via the GUI, as documented at https://help.hcltechsw.com/domino/12.0.2/admin/wn_simplified_procedure_third_party_certs.html

Currently, this is not supported via the CertMgr command line.

As administrators, we would like to automate the creation of a CSR via the command line, as our internal CA does not support the ACME protocol (yet).

  • Attach files
  • Admin
    Thomas Hampel
    Reply
    |
    Jun 9, 2023

    load certmgr -?
    will provide the command line options available as of now

  • Guest
    Reply
    |
    Mar 18, 2023

    Command-Line is just not the right way.
    This can be all done. We could document integrations in the HCL GitHub CertMgr repository:

    Please raise issues here --> https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager
    Maybe we should open the git repository for discussing ideas?
    This would then lead to more documentation once discussed.

    The interface to generate a CSR is pretty simple. As soon the TLS Credentials document is in manual mode and submitted, a CSR is automatically generated by CertMgr.

    But the whole flow needs also the import part. of the certificates. Most customers do not have fully automated flows getting certificates.

    Here is the flow:

    • Create a TLS Credentials document in manual mode and fill out the fields

    • Submit the request

    • Get the CSR and send it to your CA

    • Get the certificates from the CA and paste them into the TLS Credentials document

    • Submit the request again

    • CertMgr will import the certificates, complete the chain with trusted roots from it's trust store and validate the certificate chain and key combination

    • Once the document is in certstore.nsf of the server with access, the TLS Cache will automatially pick up the new entry in seconds

    This can be automated with scripting. But there is no one size fits all approach for an integration.

    I have not seen any customer requests for integrations. But there could be a simple integration interface like what is implemented for DNS-01 challenges.

    -- Daniel Nashed

  • Admin
    Thomas Hampel
    Reply
    |
    Feb 13, 2023
    Maybe this should be more clearly documented?
  • Guest
    Reply
    |
    Feb 6, 2023

    The CSR creation alone isn't much help. And a command-line option is not the right way to integrate from my view.
    CertMgr uses a request based model. You can generate documents with Lotus Script and you can even use the Script Lib behind the Import/Export functionality for your own flows.

    The CSR can be created adding all the information into the form and setting the right status.
    CertMgr will create the CSR.

    All formats in CertMgr are text based formats (PEM) and can be added via for example Lotus Script.
    The CSR is also text. And even an exportable key is encrypted PEM.

    Importing a certificate can be just updating the document with the pasted PEM and setting the status of the document to submitted.

    Maybe I should add this to the agenda of my OpenNTF session this month.


    -- Daniel Nashed