Domino 12 beta 3: CertStore and Trusted Root Certificates

Wednesday, March 31, 2021 at 3:12 AM UTC

Man, this is very intense. I am testing the 3rd beta of V12 and it's very dynamic. I posted to the forum, immediately got feedback, commented on other's posts and also got feedback. The people are very busy to check everything out - which is great!

This post is about the Certstore and the process to obtain an SSL certificate from Let's Encrypt. With beta 3 you need a valid trusted root certificate set up in this database. There are several options to get it, and this posts is about how. The documentation for this portion of beta 3 is a bit "thin", so after all the discussion this evening (this night to be honest) I thought I write my thoughts down - for you to enjoy in the morning (CEST).

Option 1 - manual import

Though the docs do not tell about the details, this process is straight forward. Navigate to LE's website to get your trusted root as a PEM file: Download the "self-signed" PEM and save it. Open it with an editor of choice. Select all and copy it to your clipboard. Open the certstore app and navigate to "Trusted Roots". Add a new trusted root doc. In the form, click "Paste certificate". Click "Submit request" and grab a coffee. Make sure that the certmgr task is running on your server. If not, start it with "load certmgr".

Option 2 - import the DXL file from Daniel

Daniel Nashed posted a DXL file in the beta forum that can be imported from the Certstore app by executing the action (menu) "Import DXL". For me this didn't work, others had no issues. Once successfully done, you will see a bunch of trusted root docs in the view.

Option 3 - the easy way

Open the beta 3 template for the Certstore app which is located in the root of your server. I suggest to use the Admin client to find it. It's called "certstore.ntf". This template also contains documents! Navigate to the "Trusted Roots" view and you will find them. Select and copy them all. Paste them into your real Certstore.nsf file and you are done. Currently the docs don't tell you this - they will with the final release, I am sure. The docs tell you to do so in the overview of what's new with beta 3, so you could easily miss this.

This is only needed if you updated from a previous beta to beta 3 and you already had this Certstore database. If you started with beta 3 (or the final product) creating a new Certstore database, the documents will be copied automatically. This should also make it's way into the documentation.

Having a trusted root is essential to obtain a valid SSL certificate from LE for your server(s), so make sure you got them.

This is what you see if you either use option 2 or 3:

Other stuff

There is a bug in the Certstore template. When you are creating a new "TLS Credential" document, you will see a button to select a server for the field "Servers with access". You should change either the template itself (and then updating your certstore.nsf) OR directly manipulate the code of this button in your database (beware of design updates!).

Find the original line in the button script

serversToAdd = ui.selectServer("", "", doc.ParentDatabase.Server, True)

and replace it with

serversToAdd = ui.selectServer(DLGPROMPT, DLGTITLE, doc.ParentDatabase.Server, True)

like the comment below suggests anyway.

Without this change you will get an error:

This bug is already filed (SPR NVENBZLUV8) and will be fixed with the GA version.

Leave a comment right here