Tutorial: How to Secure Domino Using Certmgr Task (letsencrypt)

With the stunning increase in security breaches and ongoing changes to regulations, Domino continues to provide a rock-solid, extremely secure platform to power your business. Today, I’m excited to share that with v12, we have a more secure and straight-forward way to implement TLS in Domino Server using “Let’s Encrypt.”

Before getting into that, here’s a brief background about Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world’s largest certificate authority, used by millions of websites.

To have a secured website, you need to have https enabled on the server. To enable https, we need a certificate from a certificate authority (CA). Let’s Encrypt is one such CA, which also uses advanced encryption techniques at zero cost.

Prior to Domino v12, OpenSSL and kyrtool tools were used to enable HTTPS for webmail. With the latest version, the certmgr task is now used to perform the same without creating any kyr files.

With Domino V12, the certstore.nsf database is used to create and generate TLS certificates using Let’s Encrypt. You can also import the certificates into the database to manage them.

Main requirements include Domino v12 server and a valid DNS (A-record) which can be accessed by the internet. The certstore.nsf, created on the admin server with the certmgr task running on the admin server, will act as a web agent which interacts with the Lets Encrypt to generate the keys. Let’s Encrypt will verify the domain name that is requested and issue one or more sets of challenges to provide the certificate.

From the Domino end, we must make sure that the DNS and port are accessible on the open internet to perform the challenges.

Below is a tutorial on creating a new certificate using Let’s Encrypt.

Prerequisite:

Domino V12 and above.
a valid DNS nameA record
Ports 80 and 443 should be open for access.

First, you need to have a certificate store database (certstore.nsf) – it will be created by default, or you can create the same using certstore.ntf. Make sure that the certificate store (certstore.nsf) is created on the admin server. Open the certificate store and you will see the existing TLS certificate details as shown below.

To generate a new TLS certificate, navigate to the certstore.nsf and select “Add TLS Certificate.”

You will be prompted with the window below where you will be providing the required details to create the certificate.

You must provide the Host names (mostly your host server name).

In this example, we set the ACME account as “LetsEncryptStaging”, a non-production server performing the challenges.

You can either choose RSA or ECDSA based on your requirement. Based on your environment provide the certificate attributes.

Once the required attributes are provided, you can submit the request.

After the request is submitted, you can see the new certificate request in the database which is yet to be processed as shown below.

The certmgr task will initiate the request and perform the challenges with the Let’s Encrypt server.

If the challenges are performed and completed, you will see the status as below.

Since you have used the staging account, you may receive a warning message as the certificate is self-signed as shown below.

Now you need to perform the same on the production ACME server – edit the document and change the ACME Account to “LetsEncryptProduction” and submit the request.