HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
The HCL Safelinx community container has support to query certificates externally to merge them into the SafeLinx server PEM.
This approach would not only work with CertMgr, but also with other methods to aquire certificates.
See details here: https://opensource.hcltechsw.com/domino-container/safelinx/#server-certificate-support
You find details in the entrypoint script -> https://github.com/HCL-TECH-SOFTWARE/domino-container/blob/main/dockerfiles/install_dir_safelinx/entrypoint.sh
Safelinx uses PKCS12 (p12) which is a well known standard. Certbot would be just one type of solution that could be deployed by an admin if really needed. This isn't something I would expect from the vendor if most of the use cases include Domino in some way and Domino has an implementation already.
If an admin really prefers Certbot there is no direct integration needed from SafeLinx side.
The certificate just must be stored in PKCS12 format with the right password.
There are many different ways to supply certificates. Certbot is just one of them.
[ Daniel Nashed / HCL Lifetime Ambassador ]
It's not just about CertMgr or ACME. But SafeLinx uses a standard format -- PKCS12.
Integrations would be a lot easier if PEM would be supported.
Separate the cert from an encrypted PEM key.
I have built a couple of integrations for CertMgr and other sources.
CertMgr uses standards. Everything is PEM based. and you have PEM and PKCS12 export options.
ACME can work with redirects to any ACME client to port 80 and 443.
There are many options.
But this does not need to be CertMgr in all cases.
When you store a new P12 on a SafeLinx server (with the right password) SafeLinx will switch to the new key/cert imediately.
You can integrate CertBot and other solutions with SafeLinx.
With an own ACME integration by HCL pushing an integration with CertBot, I would not expect HCL to implement it.
But CertBot is a open source solution and pretty open. It's not more difficult to implement on your own.
I personally find CertBot too complicated.
CertMgr is much easier and flexible. But yes it is Domino based ;-)
I would like an more open Let's Encrypt support for SafeLinx instead of binding it to the Domino CertMgr.
On Linux provide an SafeLinx plugin for Certbot, so that after an renewal SafeLinx can pickup the new cert and let SafeLinx handle the anoymous ./wellknown HTTP challenge. That should not be taht complicated.
On Windows use one the wide use Windows ACME clients and provide a SafeLinx plugin, too.