Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Shipped
Workspace Safelinx
Created by Guest
Created on Jul 14, 2021

Let's Encrypt Certificate Exchange between Domino and SafeLinx

As Domino 12 is able to use Let's Encrypt for certificate management, enhance SafeLinx, so that it can use the certificates fetched/managed by Domino and the new Certificate Manager (CertMgr).

https://help.hcltechsw.com/domino/12.0.0/admin/wn_automating_cert_management.html

  • Attach files
  • Guest
    Reply
    |
    Aug 20, 2023

    The HCL Safelinx community container has support to query certificates externally to merge them into the SafeLinx server PEM.

    This approach would not only work with CertMgr, but also with other methods to aquire certificates.

    See details here: https://opensource.hcltechsw.com/domino-container/safelinx/#server-certificate-support

    You find details in the entrypoint script -> https://github.com/HCL-TECH-SOFTWARE/domino-container/blob/main/dockerfiles/install_dir_safelinx/entrypoint.sh

    Safelinx uses PKCS12 (p12) which is a well known standard. Certbot would be just one type of solution that could be deployed by an admin if really needed. This isn't something I would expect from the vendor if most of the use cases include Domino in some way and Domino has an implementation already.

    If an admin really prefers Certbot there is no direct integration needed from SafeLinx side.
    The certificate just must be stored in PKCS12 format with the right password.

    There are many different ways to supply certificates. Certbot is just one of them.

    [ Daniel Nashed / HCL Lifetime Ambassador ]


  • Guest
    Reply
    |
    Jun 18, 2022

    It's not just about CertMgr or ACME. But SafeLinx uses a standard format -- PKCS12.

    Integrations would be a lot easier if PEM would be supported.
    Separate the cert from an encrypted PEM key.

    I have built a couple of integrations for CertMgr and other sources.

    CertMgr uses standards. Everything is PEM based. and you have PEM and PKCS12 export options.

    ACME can work with redirects to any ACME client to port 80 and 443.

    There are many options.

    But this does not need to be CertMgr in all cases.

    When you store a new P12 on a SafeLinx server (with the right password) SafeLinx will switch to the new key/cert imediately.

    You can integrate CertBot and other solutions with SafeLinx.

    With an own ACME integration by HCL pushing an integration with CertBot, I would not expect HCL to implement it.

    But CertBot is a open source solution and pretty open. It's not more difficult to implement on your own.

    I personally find CertBot too complicated.

    CertMgr is much easier and flexible. But yes it is Domino based ;-)

  • Guest
    Reply
    |
    Mar 1, 2022

    I would like an more open Let's Encrypt support for SafeLinx instead of binding it to the Domino CertMgr.
    On Linux provide an SafeLinx plugin for Certbot, so that after an renewal SafeLinx can pickup the new cert and let SafeLinx handle the anoymous ./wellknown HTTP challenge. That should not be taht complicated.
    On Windows use one the wide use Windows ACME clients and provide a SafeLinx plugin, too.

30 MERGED

Support of Let's Encrypt to generate and auto-update certificates

Merged
It would be great, if SafeLinx could use Let's Encrypt to auto-generate and update certificates posted by Detlev Poettgen - midpoints GmbH
over 4 years ago in Safelinx 2 Shipped